Comments (3)
jtblin
commented on June 28, 2024
I assume that you have setup the iptables rule correctly? The code doesn't seem to use the role passed in the url at all ( it would probably be better semantically to check and return an error if it isn't the correct role but it should not lead to assuming a role that is not allowed but maybe I'm missing something).
from kube2iam.
TaiSHiNet
commented on June 28, 2024
Yeah, without the iptables rule when I curl curl -s 169.254.169.254/latest/meta-data/iam/security-credentials/ I get test as the role I should be assigned
from kube2iam.
jtblin
commented on June 28, 2024
So looking in the code more, the code is probably just returning the correct role whatever you pass in the url, the url param is just totally ignored, which isn't great but not a security issue. Relevant code:
remoteIP := parseRemoteAddr(r.RemoteAddr)
role, err := s.getRole(remoteIP)
if err != nil {
http.Error(w, err.Error(), http.StatusNotFound)
return
}
The code is just getting the role for the remote IP whatever role is passed in the url. I'll see to change that to return an error instead.
from kube2iam.
Related Issues (20)
- imdsv2 failing for kube2iam deployed on azure aks to assume aws iam role.
- Release Charts action is failing HOT 2
- Add helm chart with ARM support HOT 1
- Can you use kube2iam with a local kubernetes cluster?
- Kube2iam helm support for custom securityContext
- The `/github subscribe [repository name]` Command Fails To Subscribe
- How to use kube2iam on self hosted cluster
- Request failing with error "pod with specificed IP not found"
- not seeing 3.x.x version in helm charts HOT 3
- "Error getting instance id, got status: 503 Service Unavailable" HOT 1
- `0.11.2` missing `amd64` image version HOT 6
- New version of kube2iam fails to get regions HOT 10
- IAM roles for service accounts vs kube2iam HOT 4
- Updating crypto lib
- Cannot delete kube2iam from EKS HOT 1
- Kube2iam not assuming roles on kops HOT 1
- Is this project inactive or considered dead? HOT 1
- Current Kube2iam image have vulnerabilities at go.sum and go.mod HOT 1
- | failed to run command: /sbin/iptables -t nat -N CONSUL_PROXY_INBOUND, err: exit status 3, output: modprobe: can't change directory to '/lib/modules': No such file or directory | iptables v1.8.8 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?) | Perhaps iptables or your kernel needs to be upgraded. HOT 1
- IMDSv2 release?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube2iam.