Allow kiam-agent to not remove rules on the host (#253)

There are cases where kiam should not remove the iptables rules at shutdown. This avoids cases where metadata from the host will leak when kiam is reprovisioning, has crashed, etc, which causes any AWS SDK to cache and try to use host credentials for hours on end.
uswitch · Jun 10, 2019 · a5d932f · a5d932f
1 parent 04e66a7
commit a5d932f
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/cmd/kiam/agent.go b/cmd/kiam/agent.go
@@ -31,9 +31,10 @@ type agentCommand struct {
 	clientOptions
 	*http.ServerOptions
 
-	iptables      bool
-	hostIP        string
-	hostInterface string
+	iptables       bool
+	iptablesRemove bool
+	hostIP         string
+	hostInterface  string
 }
 
 func (cmd *agentCommand) Bind(parser parser) {
@@ -49,6 +50,7 @@ func (cmd *agentCommand) Bind(parser parser) {
 	parser.Flag("whitelist-route-regexp", "Proxy routes matching this regular expression").Default("^$").RegexpVar(&cmd.WhitelistRouteRegexp)
 
 	parser.Flag("iptables", "Add IPTables rules").Default("false").BoolVar(&cmd.iptables)
+	parser.Flag("iptables-remove", "Remove iptables rules at shutdown").Default("true").BoolVar(&cmd.iptablesRemove)
 	parser.Flag("host", "Host IP address.").Envar("HOST_IP").Required().StringVar(&cmd.hostIP)
 	parser.Flag("host-interface", "Network interface for pods to configure IPTables.").Default("docker0").StringVar(&cmd.hostInterface)
 }
@@ -63,7 +65,9 @@ func (opts *agentCommand) Run() {
 		if err != nil {
 			log.Fatal("error configuring iptables:", err.Error())
 		}
-		defer rules.Remove()
+		if opts.iptablesRemove {
+			defer rules.Remove()
+		}
 	}
 
 	ctx, cancel := context.WithCancel(context.Background())