文章目录
1. 介绍
2. Practice: Access Node Metadata
参考链接:
https://cloud.google.com/compute/docs/storing-retrieving-metadata
curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google" curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/0/" -H "Metadata-Flavor: Google" root@master:~/clash# k run nginx --image=nginx pod/nginx created root@master:~/clash# k get pods NAME READY STATUS RESTARTS AGE backend 1/1 Running 0 43h nginx 1/1 Running 0 22s pod1 1/1 Running 0 20h pod2 1/1 Running 0 20h root@master:~/clash# k exec -ti nginx bash root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google"
3. Practice: Protect Node Metadata via NetworkPolicy
root@master:~/cks/metadata# cat deny.yaml # all pods in namespace cannot access metadata endpoint apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: cloud-metadata-deny namespace: default spec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 except: - 169.254.169.254/32 root@master:~/cks/metadata# k create -f deny.yaml networkpolicy.networking.k8s.io/cloud-metadata-deny created root@master:~/clash# k exec -ti nginx bash root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google" ## 卡住 root@master:~/cks/metadata# cat allow.yaml # only pods with label are allowed to access metadata endpoint apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: cloud-metadata-allow namespace: default spec: podSelector: matchLabels: role: metadata-accessor policyTypes: - Egress egress: - to: - ipBlock: cidr: 169.254.169.254/32 root@master:~/cks/metadata# k create -f allow.yaml networkpolicy.networking.k8s.io/cloud-metadata-allow created root@master:~/cks/metadata# k label pod nginx role=metadata-accessor pod/nginx labeled root@master:~/cks/metadata# k get pods nginx --show-labels NAME READY STATUS RESTARTS AGE LABELS nginx 1/1 Running 0 10m role=metadata-accessor,run=nginx root@master:~/clash# k exec -ti nginx bash root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google" #正常访问
测试删除metadata中的role
root@master:~/cks/metadata# k edit pod nginx metadata: annotations: cni.projectcalico.org/podIP: 192.168.104.31/32 creationTimestamp: "2021-04-22T03:17:45Z" labels: role: metadata-accessor #删除 run: nginx name: nginx namespace: default root@master:~/clash# k exec -ti nginx bash root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google" #卡住无法访问
