Skip to content

Commit

Permalink
Add --disable-user-data & --disable-sensitive-metadata flags
Browse files Browse the repository at this point in the history
  • Loading branch information
mabartosz committed Mar 15, 2019
1 parent 8dc96cf commit cd189d0
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -556,6 +556,8 @@ Usage of kube2iam:
--iam-role-session-ttl Length of session when assuming the roles (default 15m)
--debug Enable debug features
--default-role string Fallback role to use when annotation is not set
--disable-sensitive-metadata Make some sensitive metadata paths return empty strings
--disable-user-data Make the user-data endpoint return an empty string instead of the host's user-data
--host-interface string Host interface for proxying AWS metadata (default "docker0")
--host-ip string IP address of host
--iam-role-key string Pod annotation key used to retrieve the IAM role (default "iam.amazonaws.com/role")
Expand Down
2 changes: 2 additions & 0 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ func addFlags(s *server.Server, fs *pflag.FlagSet) {
fs.BoolVar(&s.UseRegionalStsEndpoint, "use-regional-sts-endpoint", false, "use the regional sts endpoint if AWS_REGION is set")
fs.BoolVar(&s.Verbose, "verbose", false, "Verbose")
fs.BoolVar(&s.Version, "version", false, "Print the version and exits")
fs.BoolVar(&s.DisableSensitiveMetadata, "disable-sensitive-metadata", false, "Make some sensitive metadata paths return empty strings")
fs.BoolVar(&s.DisableUserData, "disable-user-data", false, "Make the user-data endpoint return an empty string instead of the host's user-data")
}

func main() {
Expand Down
25 changes: 25 additions & 0 deletions server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@ type Server struct {
NamespaceRestriction bool
Verbose bool
Version bool
DisableSensitiveMetadata bool
DisableUserData bool
iam *iam.Client
k8s *k8s.Client
roleMapper *mappings.RoleMapper
Expand Down Expand Up @@ -268,6 +270,10 @@ func (s *Server) debugStoreHandler(logger *log.Entry, w http.ResponseWriter, r *
write(logger, w, string(o))
}

func (s *Server) emptyResponseHandler(logger *log.Entry, w http.ResponseWriter, r *http.Request) {
w.Header().Set("Server", "EC2ws")
}

func (s *Server) securityCredentialsHandler(logger *log.Entry, w http.ResponseWriter, r *http.Request) {
w.Header().Set("Server", "EC2ws")
remoteIP := parseRemoteAddr(r.RemoteAddr)
Expand Down Expand Up @@ -371,6 +377,25 @@ func (s *Server) Run(host, token, nodeName string, insecure bool) error {
// This is a potential security risk if enabled in some clusters, hence the flag
r.Handle("/debug/store", newAppHandler("debugStoreHandler", s.debugStoreHandler))
}

emptyResponseHandler := newAppHandler("emptyResponseHandler", s.emptyResponseHandler)
if s.DisableUserData {
r.Handle("/{version}/user-data", emptyResponseHandler)
r.Handle("/{version}/user-data/{path:.*}", emptyResponseHandler)
}
if s.DisableSensitiveMetadata {
// permit instance identity document, but not its signatures
r.Handle("/{version}/dynamic/instance-identity/document", newAppHandler("reserveProxyHandler", s.reverseProxyHandler))
r.Handle("/{version}/dynamic/instance-identity/{path:.+}", emptyResponseHandler)
// hide public keys, disk configuration, security group & iam information
r.Handle("/{version}/meta-data/public-keys/{path:.*}", emptyResponseHandler)
r.Handle("/{version}/meta-data/block-device-mapping/{path:.*}", emptyResponseHandler)
r.Handle("/{version}/meta-data/network/{path:.*}", emptyResponseHandler)
r.Handle("/{version}/meta-data/security-groups", emptyResponseHandler)
r.Handle("/{version}/meta-data/security-groups/{path:.*}", emptyResponseHandler)
r.Handle("/{version}/meta-data/iam/info", emptyResponseHandler)
r.Handle("/{version}/meta-data/iam/info/{path:.*}", emptyResponseHandler)
}
r.Handle("/{version}/meta-data/iam/security-credentials", securityHandler)
r.Handle("/{version}/meta-data/iam/security-credentials/", securityHandler)
r.Handle(
Expand Down

0 comments on commit cd189d0

Please sign in to comment.