Containers can still access node role

[TaiSHiNet]

I've had this roles:

• worker_role
• test

When I curl metadata, I receive 'test' as the role I should use. But I can circumvent this by hitting:
curl -s 169.254.169.254/latest/meta-data/iam/security-credentials/worker_role

Which will provide me the temporary credentials for that role. It would be great if we could block those calls, else an attacker could leverage it

[jtblin]

I assume that you have setup the iptables rule correctly? The code doesn't seem to use the role passed in the url at all ( it would probably be better semantically to check and return an error if it isn't the correct role but it should not lead to assuming a role that is not allowed but maybe I'm missing something).

[TaiSHiNet]

Yeah, without the iptables rule when I curl curl -s 169.254.169.254/latest/meta-data/iam/security-credentials/ I get test as the role I should be assigned

[jtblin]

So looking in the code more, the code is probably just returning the correct role whatever you pass in the url, the url param is just totally ignored, which isn't great but not a security issue. Relevant code:

    remoteIP := parseRemoteAddr(r.RemoteAddr)
    role, err := s.getRole(remoteIP)
    if err != nil {
        http.Error(w, err.Error(), http.StatusNotFound)
        return
    }

The code is just getting the role for the remote IP whatever role is passed in the url. I'll see to change that to return an error instead.