I deployed my service with docker swarm in the Digital Ocean VPC.
I want to block access from the service to http://169.254.169.254/metadata/v1.json which is the metadata API for security reasons. Does anyone know how to do that?
Thanks,
2 Answers
You should block it on your host-machine, Docker use host-machine network configuration, so if your host-machine use iptables, you could use this article to block access.
Also you could block egress traffic from Docker using same iptables, please see this answer.
answered Jul 28, 2022 at 10:35
-
I don't want to block on the host-machine. Because some background agents use that APIs for stats.– Quy TangCommented Jul 29, 2022 at 9:23
-
-
Hi Alex, Thanks for your help! After reading some documents about iptables and your included references. I figure out the answer as below - serverfault.com/a/1107080/977687– Quy TangCommented Aug 1, 2022 at 4:04
-
The bounty was awarded. Thanks for helping to figure out the answer Alex!– Quy TangCommented Aug 5, 2022 at 2:47
There are 2 ways to block the IP: 169.254.169.254
1. Block the IP in the host machine
# to block:
$ route add -host 169.254.169.254 reject
# to show the current routes:
$ route
2. Block the IP for docker container only in the docker filter chain with iptables
# to block
$ iptables -I DOCKER-ISOLATION-STAGE-1 -d 169.254.169.254 -j DROP
# to show the current tables:
$ iptables -vL