sureshanaparti commented on code in PR #550: URL: https://github.com/apache/cloudstack-documentation/pull/550#discussion_r2307195921
########## source/plugins/cloudstack-kubernetes-service.rst: ########## @@ -385,6 +385,55 @@ The service provides functionality to access kubeconfig file for a running Kuber getKubernetesClusterConfig API can be used to retrieve kubeconfig file data for a cluster. It takes id of the cluster as the input parameter. +Note: The meta-data and user-data of the underlying host can be accessed by the container running on the cks cluster. If you want prevent the access follow the below steps + +.. parsed-literal:: + + - The meta-data and user-data of the underlying worker-nodes can be accessed by the containers running on the CKS cluster + + For example deploy a container on a cks cluster + + kubectl exec -it <container> -- /bin/sh + + curl http://data-server/latest/meta-data/ + service-offering + availability-zone + local-ipv4 + local-hostname + public-ipv4 + public-hostname + instance-id + vm-id + public-keys + cloud-identifier + hypervisor-host-name + + curl http://data-server/latest/user-data/ + + + - If you want to prevent the access of meta-data and user-data from the containers running on cks-cluster, Execute the following yaml + + kubectl apply -f deny-meta-data.yaml + + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: deny-metadata-access + spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 169.254.188.68/32 + ports: + - protocol: TCP + port: 80 + + + + Review Comment: ```suggestion ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
