I'm trying to figure out how to prevent the majority of my pods in a Google Kubernetes Engine (GKE) cluster from accessing the GCP metadata server's IP address (`169.254.169.254`). There are a couple of specific pods that should be allowed access, but I need to enforce this block strictly at the network level, no matter what hostname the request might come from.
I've already experimented with Istio by setting up `VirtualServices` and `AuthorizationPolicies` to block requests to known metadata hostnames, but that only works for those specific names. I've also tried using Calico to create a `GlobalNetworkPolicy` to deny egress traffic to `169.254.169.254`, but I'm facing issues where it either behaves unpredictably or just allows connections when they shouldn't be.
My aim is to establish a network rule that definitively drops any outgoing packets to `169.254.169.254` from every pod, except the ones I've explicitly granted access to. I want to ensure that even if other hostnames resolve to that IP, the network policies are robust enough to prevent any TCP connections to it. I'm strictly looking for network-layer solutions like Calico, not identity-based controls. Has anyone successfully achieved this with a strict IP block for the metadata server in GKE? What could be causing Calico's issues with blocking HTTP traffic to this specific address?
1 Answer
You might want to try using a CNI that supports NetworkPolicies natively. Cilium is worth looking into for its ability to handle this type of IP-based filtering. Also, consider blackholing the CIDR with Istio, which could provide additional layers of blockage for the IP address.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux