Skip to content

Commit 0a25c76

Browse files
picatzpicatz
committed
Block access to the metadata endpoint with NOMAD-AMDIN
Thanks to hashicorp/nomad#10181
1 parent 3cfd6b6 commit 0a25c76

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

templates/client.sh

+12
Original file line numberDiff line numberDiff line change
@@ -90,3 +90,15 @@ systemctl restart docker
9090
# Start and enable Nomad
9191
systemctl start nomad
9292
systemctl enable nomad
93+
94+
# Block access to the metadata endpoint in three easy steps
95+
# https://github.com/picatz/terraform-google-nomad/issues/19
96+
#
97+
# Note: this also blocks DNS resolution within Nomad allocations (no apt install in containers)
98+
#
99+
# 1. Create NOAMD-ADMIN chain
100+
sudo iptables --new NOMAD-ADMIN
101+
# 2. Add default rule
102+
sudo iptables --append NOMAD-ADMIN --destination 172.26.64.0/20 --jump ACCEPT
103+
# 3. Block access to metadata endpoint
104+
sudo iptables --append NOMAD-ADMIN --destination 169.254.169.254/32 --jump DROP

0 commit comments

Comments
 (0)