Allow DNS port when performing iptables filtering on cloud provider metadata IP #12
Conversation
openshift-ci-robot
added
the
size/XS
|
/assign @squeed |
| {"-A", "OUTPUT", "-d", "169.254.169.254", "-j", "REJECT"}, | ||
| {"-A", "FORWARD", "-d", "169.254.169.254", "-j", "REJECT"}, | ||
| // Block cloud metadata IP on all ports except 53 for tcp/udp | ||
| {"-p", "tcp", "-A", "OUTPUT", "-d", "169.254.169.254", "!", "--dport", "53", "-j", "REJECT"}, |
There was a problem hiding this comment.
It's convention to put the "-A OUTPUT" first.
There was a problem hiding this comment.
Thanks, just updated the PR
alexanderConstantinescu
force-pushed
the
bugfix/SDN-493
branch
from
72c55d8
to
e1697de
Compare
|
cc @danwinship |
|
I think maybe it would be better to only block port 80/443 rather than to block everything except 53. Also, we're blocking it in two places: see However, do we actually know that the metadata service on GCP contains privileged information that we need to prevent pods from accessing? Maybe the fix is "only block on AWS", not "only block http". |
I would prefer whitelisting over blacklisting.
The GKE documentation seems to imply that, yes, the cluster metadata endpoint can contain sensitive information. |
|
I agree with @squeed concerning the IPs to block. I will update the PR with modifications to the additional file you mentioned @danwinship |
alexanderConstantinescu
force-pushed
the
bugfix/SDN-493
branch
from
e1697de
to
1a68220
Compare
openshift-ci-robot
added
size/S
|
Just updated the PR to drop packets to 443 and 80 only. Please have a look and let me know |
|
/assign @danwinship |
| {"-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "-d", "169.254.169.254", "--dport", "80", "-j", "REJECT"}, | ||
| {"-A", "OUTPUT", "-p", "udp", "-m", "udp", "-d", "169.254.169.254", "--dport", "80", "-j", "REJECT"}, | ||
| {"-A", "FORWARD", "-p", "tcp", "-m", "tcp", "-d", "169.254.169.254", "--dport", "443", "-j", "REJECT"}, | ||
| {"-A", "FORWARD", "-p", "udp", "-m", "udp", "-d", "169.254.169.254", "--dport", "443", "-j", "REJECT"}, |
There was a problem hiding this comment.
This got messed up in one of the rewrites... now it's blocking port 80 in OUTPUT and port 443 in FORWARD.
Also, we don't need to block UDP, just TCP. Also, you can simplify using multiport. So (I think, not tested):
{"-A", "OUTPUT", "-d", "169.254.169.254", "-p", "tcp", "-m", "multiport", "--destination-ports", "80,443", "-j", "REJECT"},
{"-A", "FORWARD", "-d", "169.254.169.254", "-p", "tcp", "-m", "multiport", "--destination-ports", "80,443", "-j", "REJECT"},
but also, @squeed, what's the verdict on 8080?
There was a problem hiding this comment.
Waiting for the west coast to have coffee, then we'll see.
pkg/network/node/ovscontroller.go
Outdated
| otx.AddFlow("table=30, priority=75, ip, tcp, tcp_dst=80, nw_dst=169.254.0.0/16, actions=drop") | ||
| otx.AddFlow("table=30, priority=75, ip, tcp, tcp_dst=443, nw_dst=169.254.0.0/16, actions=drop") | ||
| otx.AddFlow("table=30, priority=75, ip, udp, udp_dst=80, nw_dst=169.254.0.0/16, actions=drop") | ||
| otx.AddFlow("table=30, priority=75, ip, udp, udp_dst=443, nw_dst=169.254.0.0/16, actions=drop") |
There was a problem hiding this comment.
Don't need UDP.
And also, at this point, if we're giving up on the idea of blocking all link-local traffic out of the pod network then this should match nw_dst=169.254.169.254, not nw_dst=169.254.0.0/16
There was a problem hiding this comment.
Wait, flows are ordered, right? So can we allow packets with a port (src or dst) of 53, and drop all others?
There was a problem hiding this comment.
Well, you can't just generically "allow"; you have to say specifically what to do with the packet next (in this case, goto_table:100). But... then you'd have two sets of goto_table:100 rules with a drop rule between them and that kind of violates the code style? Handwave handwave.
Yes, we could do it.
openshift-ci-robot
added
the
do-not-merge/hold
|
To unblock GCP, I've asked @alexanderConstantinescu to add the 53 whitelist to iptables and drop the openflow rule completely for now. I'll file a blocker bug to re-add the openflow rules. |
alexanderConstantinescu
force-pushed
the
bugfix/SDN-493
branch
2 times, most recently
from
92d720d
to
e73754e
Compare
| // Block cloud metadata IP | ||
| {"-A", "OUTPUT", "-d", "169.254.169.254", "-j", "REJECT"}, | ||
| {"-A", "FORWARD", "-d", "169.254.169.254", "-j", "REJECT"}, | ||
| // Block cloud metadata IP on ports 80 & 443 for TCP & UDP |
There was a problem hiding this comment.
"Block cloud provider metadata IP except DNS"
alexanderConstantinescu
force-pushed
the
bugfix/SDN-493
branch
from
e73754e
to
1335f56
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexanderConstantinescu, squeed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
@danwinship, would you be OK with removing the hold for now? |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/retest |
This addresses the bug described here
We want to allow DNS packets to be routed through the metadata IP as this is sometimes used by internal mechanism to these providers when performing certain networking tasks.