Skip to content

Commit

Permalink
Block access to the metadata endpoint with NOMAD-AMDIN
Browse files Browse the repository at this point in the history 
Thanks to hashicorp/nomad#10181
  • Loading branch information
@picatz
picatz committed May 31, 2021
1 parent 3cfd6b6 commit 0a25c76
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions templates/client.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,3 +90,15 @@ systemctl restart docker
# Start and enable Nomad
systemctl start nomad
systemctl enable nomad

# Block access to the metadata endpoint in three easy steps
# https://github.com/picatz/terraform-google-nomad/issues/19
#
# Note: this also blocks DNS resolution within Nomad allocations (no apt install in containers)
#
# 1. Create NOAMD-ADMIN chain
sudo iptables --new NOMAD-ADMIN
# 2. Add default rule
sudo iptables --append NOMAD-ADMIN --destination 172.26.64.0/20 --jump ACCEPT
# 3. Block access to metadata endpoint
sudo iptables --append NOMAD-ADMIN --destination 169.254.169.254/32 --jump DROP

0 comments on commit 0a25c76

Please sign in to comment.