I deployed my service with docker swarm in the Digital Ocean VPC.
I want to block access from the service to http://169.254.169.254/metadata/v1.json which is the metadata API for security reasons. Does anyone know how to do that?
Thanks,
Asked
Active
Viewed 45 times
2 Answers
0
You should block it on your host-machine, Docker use host-machine network configuration, so if your host-machine use iptables, you could use this article to block access.
Also you could block egress traffic from Docker using same iptables, please see this answer.
Alexander Tolkachev
- 4,513
- 3
- 14
- 23
-
I don't want to block on the host-machine. Because some background agents use that APIs for stats. – Quy Tang Jul 29 '22 at 09:23
-
@QuyTang I updated my answer, please check. – Alexander Tolkachev Jul 29 '22 at 12:28
-
Hi Alex, Thanks for your help! After reading some documents about iptables and your included references. I figure out the answer as below - https://serverfault.com/a/1107080/977687 – Quy Tang Aug 01 '22 at 04:04
-
The bounty was awarded. Thanks for helping to figure out the answer Alex! – Quy Tang Aug 05 '22 at 02:47
0
There are 2 ways to block the IP: 169.254.169.254
1. Block the IP in the host machine
# to block:
$ route add -host 169.254.169.254 reject
# to show the current routes:
$ route
2. Block the IP for docker container only in the docker filter chain with iptables
# to block
$ iptables -I DOCKER-ISOLATION-STAGE-1 -d 169.254.169.254 -j DROP
# to show the current tables:
$ iptables -vL
Quy Tang
- 1
- 5