Fail on likely cloud metadata access misconfiguration

jupyterhub · Aug 2, 2023 · 7c7523c · 7c7523c
1 parent 3927ebe
commit 7c7523c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/jupyterhub/templates/NOTES.txt b/jupyterhub/templates/NOTES.txt
@@ -92,7 +92,7 @@
 
 
 {{- /*
-  Warnings for likely misconfiguration
+  Warnings for likely misconfigurations
 */}}
 
 {{- if and (not .Values.scheduling.podPriority.enabled) (and .Values.scheduling.userPlaceholder.enabled .Values.scheduling.userPlaceholder.replicas) }}
@@ -114,7 +114,7 @@
 
 
 {{- /*
-  Breaking changes.
+  Breaking changes and failures for likely misconfigurations.
 */}}
 
 {{- $breaking := "" }}
@@ -148,6 +148,11 @@
 {{- end }}
 
 
+{{- if and .Values.singleuser.cloudMetadata.blockWithIptables (and .Values.singleuser.networkPolicy.enabled .Values.singleuser.networkPolicy.egressAllowRules.cloudMetadataServer) }}
+{{- $breaking = print $breaking "\n\nCHANGED: singleuser.cloudMetadata.blockWithIptables must as of version 3.0.0 not be configured together with singleuser.networkPolicy.egressAllowRules.cloudMetadataServer as it leads to an ambiguous configuration." }}
+{{- end }}
+
+
 {{- if $breaking }}
 {{- fail (print $breaking_title $breaking "\n\n") }}
 {{- end }}
diff --git a/tools/templates/lint-and-validate-values.yaml b/tools/templates/lint-and-validate-values.yaml
@@ -404,7 +404,7 @@ singleuser:
   networkPolicy:
     enabled: true
     egressAllowRules:
-      cloudMetadataServer: true
+      cloudMetadataServer: false
       dnsPortsPrivateIPs: true
       nonPrivateIPs: false
       privateIPs: false