-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow DNS port when performing iptables filtering on cloud provider metadata IP #12
Allow DNS port when performing iptables filtering on cloud provider metadata IP #12
Conversation
/assign @squeed |
{"-A", "OUTPUT", "-d", "169.254.169.254", "-j", "REJECT"}, | ||
{"-A", "FORWARD", "-d", "169.254.169.254", "-j", "REJECT"}, | ||
// Block cloud metadata IP on all ports except 53 for tcp/udp | ||
{"-p", "tcp", "-A", "OUTPUT", "-d", "169.254.169.254", "!", "--dport", "53", "-j", "REJECT"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's convention to put the "-A OUTPUT" first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, just updated the PR
72c55d8
to
e1697de
Compare
cc @danwinship |
I think maybe it would be better to only block port 80/443 rather than to block everything except 53. Also, we're blocking it in two places: see However, do we actually know that the metadata service on GCP contains privileged information that we need to prevent pods from accessing? Maybe the fix is "only block on AWS", not "only block http". |
I would prefer whitelisting over blacklisting.
The GKE documentation seems to imply that, yes, the cluster metadata endpoint can contain sensitive information. |
I agree with @squeed concerning the IPs to block. I will update the PR with modifications to the additional file you mentioned @danwinship |
e1697de
to
1a68220
Compare
Just updated the PR to drop packets to 443 and 80 only. Please have a look and let me know |
/assign @danwinship |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably
/hold
this until we've confirmed the situation on Azure...
{"-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "-d", "169.254.169.254", "--dport", "80", "-j", "REJECT"}, | ||
{"-A", "OUTPUT", "-p", "udp", "-m", "udp", "-d", "169.254.169.254", "--dport", "80", "-j", "REJECT"}, | ||
{"-A", "FORWARD", "-p", "tcp", "-m", "tcp", "-d", "169.254.169.254", "--dport", "443", "-j", "REJECT"}, | ||
{"-A", "FORWARD", "-p", "udp", "-m", "udp", "-d", "169.254.169.254", "--dport", "443", "-j", "REJECT"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This got messed up in one of the rewrites... now it's blocking port 80 in OUTPUT
and port 443 in FORWARD
.
Also, we don't need to block UDP, just TCP. Also, you can simplify using multiport
. So (I think, not tested):
{"-A", "OUTPUT", "-d", "169.254.169.254", "-p", "tcp", "-m", "multiport", "--destination-ports", "80,443", "-j", "REJECT"},
{"-A", "FORWARD", "-d", "169.254.169.254", "-p", "tcp", "-m", "multiport", "--destination-ports", "80,443", "-j", "REJECT"},
but also, @squeed, what's the verdict on 8080?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Waiting for the west coast to have coffee, then we'll see.
pkg/network/node/ovscontroller.go
Outdated
otx.AddFlow("table=30, priority=75, ip, tcp, tcp_dst=80, nw_dst=169.254.0.0/16, actions=drop") | ||
otx.AddFlow("table=30, priority=75, ip, tcp, tcp_dst=443, nw_dst=169.254.0.0/16, actions=drop") | ||
otx.AddFlow("table=30, priority=75, ip, udp, udp_dst=80, nw_dst=169.254.0.0/16, actions=drop") | ||
otx.AddFlow("table=30, priority=75, ip, udp, udp_dst=443, nw_dst=169.254.0.0/16, actions=drop") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't need UDP.
And also, at this point, if we're giving up on the idea of blocking all link-local traffic out of the pod network then this should match nw_dst=169.254.169.254
, not nw_dst=169.254.0.0/16
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, flows are ordered, right? So can we allow packets with a port (src or dst) of 53, and drop all others?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, you can't just generically "allow"; you have to say specifically what to do with the packet next (in this case, goto_table:100
). But... then you'd have two sets of goto_table:100
rules with a drop
rule between them and that kind of violates the code style? Handwave handwave.
Yes, we could do it.
To unblock GCP, I've asked @alexanderConstantinescu to add the 53 whitelist to iptables and drop the openflow rule completely for now. I'll file a blocker bug to re-add the openflow rules. |
92d720d
to
e73754e
Compare
// Block cloud metadata IP | ||
{"-A", "OUTPUT", "-d", "169.254.169.254", "-j", "REJECT"}, | ||
{"-A", "FORWARD", "-d", "169.254.169.254", "-j", "REJECT"}, | ||
// Block cloud metadata IP on ports 80 & 443 for TCP & UDP |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Block cloud provider metadata IP except DNS"
e73754e
to
1335f56
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexanderConstantinescu, squeed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@danwinship, would you be OK with removing the hold for now? |
/hold cancel |
/retest |
This addresses the bug described here
We want to allow DNS packets to be routed through the metadata IP as this is sometimes used by internal mechanism to these providers when performing certain networking tasks.