Search

IMDS

helm repo add projectcalico https://docs.tigera.io/calico/charts kubectl create namespace tigera-operator helm install calico projectcalico/tigera-operator --version v3.29.1 --namespace tigera-operator
Shell
복사
curl -L https://github.com/projectcalico/calico/releases/download/v3.29.1/calicoctl-linux-amd64 -o kubectl-calico chmod +x kubectl-calico sudo mv kubectl-calico /usr/local/bin/calicoctl
Shell
복사
apiVersion: v1 kind: Pod metadata: name: aws namespace: default spec: containers: - name: aws image: amazon/aws-cli:latest command: - sleep - "3600" imagePullPolicy: IfNotPresent restartPolicy: Always
YAML
복사
kubectl apply -f aws-cli.yaml
Shell
복사
kubectl exec -it aws -- aws sts get-caller-identity
Shell
복사
INSTANCE1_ID=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=skills-app-node" --query 'Reservations[0].Instances[0].InstanceId' --output json | jq -r .) INSTANCE2_ID=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=skills-app-node" --query 'Reservations[1].Instances[0].InstanceId' --output json | jq -r .) aws ec2 describe-instances --instance-ids $INSTANCE1_ID --output table --query 'Reservations[].Instances[].[{EC2: InstanceId, Token: MetadataOptions.HttpTokens, State: MetadataOptions.State, HopCount: MetadataOptions.HttpPutResponseHopLimit}]' aws ec2 describe-instances --instance-ids $INSTANCE2_ID --output table --query 'Reservations[].Instances[].[{EC2: InstanceId, Token: MetadataOptions.HttpTokens, State: MetadataOptions.State, HopCount: MetadataOptions.HttpPutResponseHopLimit}]'
Shell
복사
apiVersion: crd.projectcalico.org/v1 kind: GlobalNetworkPolicy metadata: name: block-imds-access spec: selector: all() egress: - action: Deny protocol: TCP destination: nets: - 169.254.169.254/32 - action: Allow destination: nets: - 0.0.0.0/0
YAML
복사
kubectl apply -f restrict-imds-call.yaml
Shell
복사
IMDS 에 대한 접근이 차단
kubectl exec -it aws -- aws sts get-caller-identity
Shell
복사
Hop Count 값을 이용하여 차단
kubectl delete -f restrict-imds-call.yaml
Shell
복사
접근 허용되어야 함
kubectl exec -it aws -- aws sts get-caller-identity
Shell
복사
IMDS Hop Count 를 기존 설정값이 "2" 에서 "1" 로 변경
aws ec2 modify-instance-metadata-options --instance-id $INSTANCE1_ID --http-tokens required --http-endpoint enabled --http-put-response-hop-limit 1 aws ec2 modify-instance-metadata-options --instance-id $INSTANCE2_ID --http-tokens required --http-endpoint enabled --http-put-response-hop-limit 1
Shell
복사
IMDS 에 대한 접근이 차단
kubectl exec -it aws -- aws sts get-caller-identity
Shell
복사