Skip to content

Commit

Permalink
Enable inverse proxy to access host network (#2614)
Browse files Browse the repository at this point in the history 
When switching to GKE workload identity, the pods can't access to metadata server anymore by default due to metadata concealment. 
This can be unlocked by explicitly enable hostnetwork for the pod. 
https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#concealment

This should be OK as proxy is an optional component. In any case when user feel this not a secure option he/she could opt out it.
  • Loading branch information
@IronPan @k8s-ci-robot
IronPan authored and k8s-ci-robot committed Nov 18, 2019
1 parent b3b5e44 commit e7c7c51
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion manifests/kustomize/base/proxy/proxy-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,9 @@ spec:
labels:
app: proxy-agent
spec:
hostNetwork: true
containers:
- image: gcr.io/ml-pipeline/inverse-proxy-agent:0.1.20
imagePullPolicy: IfNotPresent
name: proxy-agent
serviceAccountName: proxy-agent-runner
serviceAccountName: proxy-agent-runner

0 comments on commit e7c7c51

Please sign in to comment.