uswitch · pingles · Oct 15, 2020 · Oct 8, 2020
diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ We have a [#kiam Slack channel](https://kubernetes.slack.com/messages/CBQLKVABH/
 
 * No client SDK modifications are needed: Kiam intercepts Metadata API requests.
 * Separated Agent and Server processes. Allows user workloads to run on nodes without `sts:AssumeRole` permissions to enhance cluster security.
-* Denies access to all other AWS Metadata API paths by default (but can be whitelisted via flag)
+* Denies access to all other AWS Metadata API paths by default (but can be configured via flag)
 * AWS credentials are prefetched to allow fast responses (and avoid problems with races between Pods requesting credentials and the Kubernetes client caches being aware of the Pod)
 * Multi-account IAM support. Pods can assume roles from any AWS account assuming trust relationships permit it
 * [Prometheus and StatsD metrics](docs/METRICS.md)

diff --git a/cmd/kiam/agent.go b/cmd/kiam/agent.go
@@ -47,7 +47,7 @@ func (cmd *agentCommand) Bind(parser parser) {
 
 	parser.Flag("port", "HTTP port").Default("3100").IntVar(&cmd.ListenPort)
 	parser.Flag("allow-ip-query", "Allow client IP to be specified with ?ip. Development use only.").Default("false").BoolVar(&cmd.AllowIPQuery)
-	parser.Flag("whitelist-route-regexp", "Proxy routes matching this regular expression").Default("^$").RegexpVar(&cmd.WhitelistRouteRegexp)
+	parser.Flag("allow-route-regexp", "Only routes matching this regular expression will be proxied").Default("^$").RegexpVar(&cmd.AllowRouteRegexp)
 
 	parser.Flag("iptables", "Add IPTables rules").Default("false").BoolVar(&cmd.iptables)
 	parser.Flag("iptables-remove", "Remove iptables rules at shutdown").Default("true").BoolVar(&cmd.iptablesRemove)

diff --git a/helm/kiam/README.md b/helm/kiam/README.md
@@ -163,7 +163,7 @@ The following table lists the configurable parameters of the kiam chart and thei
 | `agent.image.tag`                           | Agent image tag                                                                              | `v3.6`                       |
 | `agent.image.pullPolicy`                    | Agent image pull policy                                                                      | `IfNotPresent`               |
 | `agent.dnsPolicy`                           | Agent pod DNS policy                                                                         | `ClusterFirstWithHostNet`    |
-| `agent.whiteListRouteRegexp`                | Agent pod whitelist metadata API path argument regex                                         | `{}`                         |
+| `agent.allowRouteRegexp`                    | Agent metadata proxy server only allows accesses to paths matching this regexp               | `{}`                         |
 | `agent.extraArgs`                           | Additional agent container arguments                                                         | `{}`                         |
 | `agent.extraEnv`                            | Additional agent container environment variables                                             | `{}`                         |
 | `agent.extraHostPathMounts`                 | Additional agent container hostPath mounts                                                   | `[]`                         |

diff --git a/helm/kiam/templates/agent-daemonset.yaml b/helm/kiam/templates/agent-daemonset.yaml
@@ -106,8 +106,8 @@ spec:
             - --prometheus-listen-addr=0.0.0.0:{{ .Values.agent.prometheus.port }}
             - --prometheus-sync-interval={{ .Values.agent.prometheus.syncInterval }}
             {{- end }}
-            {{- if .Values.agent.whiteListRouteRegexp }}
-            - --whitelist-route-regexp={{ .Values.agent.whiteListRouteRegexp }}
+            {{- if .Values.agent.allowRouteRegexp }}
+            - --allow-route-regexp={{ .Values.agent.allowRouteRegexp }}
             {{- end }}
             - --gateway-timeout-creation={{ .Values.agent.gatewayTimeoutCreation }}
             {{- if .Values.agent.keepaliveParams.time }}

diff --git a/helm/kiam/values.yaml b/helm/kiam/values.yaml
@@ -18,9 +18,9 @@ agent:
     tag: v3.6
     pullPolicy: IfNotPresent
 
-  ## agent whitelist of proxy routes matching this reg-ex
+  ## agent permits only request paths matching this reg-ex
   ##
-  # whiteListRouteRegexp:
+  # allowRouteRegexp:
 
 
   ## Logging settings

diff --git a/pkg/aws/metadata/handler_proxy.go b/pkg/aws/metadata/handler_proxy.go
@@ -23,8 +23,8 @@ import (
 )
 
 type proxyHandler struct {
-	backingService       http.Handler
-	whitelistRouteRegexp *regexp.Regexp
+	backingService   http.Handler
+	allowRouteRegexp *regexp.Regexp
 }
 
 var tokenRouteRegexp = regexp.MustCompile("^/?[^/]+/api/token$")
@@ -44,7 +44,7 @@ func (w *teeWriter) WriteHeader(statusCode int) {
 }
 
 func (p *proxyHandler) Handle(ctx context.Context, w http.ResponseWriter, r *http.Request) (int, error) {
-	if p.whitelistRouteRegexp.MatchString(r.URL.Path) ||
+	if p.allowRouteRegexp.MatchString(r.URL.Path) ||
 		// Always proxy through requests to pick up a session token
 		(r.Method == http.MethodPut && tokenRouteRegexp.MatchString(r.URL.Path)) {
 		writer := &teeWriter{w, http.StatusOK}
@@ -60,15 +60,15 @@ func (p *proxyHandler) Handle(ctx context.Context, w http.ResponseWriter, r *htt
 	}
 
 	proxyDenies.Inc()
-	return http.StatusNotFound, fmt.Errorf("request blocked by whitelist-route-regexp %q: %s", p.whitelistRouteRegexp, r.URL.Path)
+	return http.StatusNotFound, fmt.Errorf("request blocked by allow-route-regexp %q: %s", p.allowRouteRegexp, r.URL.Path)
 }
 
-func newProxyHandler(backingService http.Handler, whitelistRouteRegexp *regexp.Regexp) *proxyHandler {
-	if whitelistRouteRegexp.String() == "" {
-		whitelistRouteRegexp = regexp.MustCompile("^$")
+func newProxyHandler(backingService http.Handler, allowRouteRegexp *regexp.Regexp) *proxyHandler {
+	if allowRouteRegexp.String() == "" {
+		allowRouteRegexp = regexp.MustCompile("^$")
 	}
 	return &proxyHandler{
-		backingService:       backingService,
-		whitelistRouteRegexp: whitelistRouteRegexp,
+		backingService:   backingService,
+		allowRouteRegexp: allowRouteRegexp,
 	}
 }
diff --git a/pkg/aws/metadata/handler_proxy_test.go b/pkg/aws/metadata/handler_proxy_test.go
@@ -27,6 +27,8 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 )
 
+const kRequestBlockedAllowFilter = "request blocked by allow-route-regexp"
+
 func performRequest(allowed, path string, method string, returnCode int) (int, *httptest.ResponseRecorder) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	defer cancel()
@@ -48,7 +50,7 @@ func performRequest(allowed, path string, method string, returnCode int) (int, *
 	return hits, rr
 }
 
-func TestProxyDefaultBlacklistingRoot(t *testing.T) {
+func TestProxyDefaultBlocksRoot(t *testing.T) {
 	defer leaktest.Check(t)()
 
 	hits, rr := performRequest("", "/", "GET", http.StatusOK)
@@ -59,7 +61,7 @@ func TestProxyDefaultBlacklistingRoot(t *testing.T) {
 	if rr.Code != http.StatusNotFound {
 		t.Error("unexpected status", rr.Code)
 	}
-	if !strings.HasPrefix(rr.Body.String(), "request blocked by whitelist-route-regexp") {
+	if !strings.HasPrefix(rr.Body.String(), kRequestBlockedAllowFilter) {
 		t.Error("unexpected body:", rr.Body.String())
 	}
 }
@@ -92,7 +94,7 @@ func TestProxyFiltering(t *testing.T) {
 	if rr.Code != http.StatusNotFound {
 		t.Error("unexpected status", rr.Code)
 	}
-	if !strings.HasPrefix(rr.Body.String(), "request blocked by whitelist-route-regexp") {
+	if !strings.HasPrefix(rr.Body.String(), kRequestBlockedAllowFilter) {
 		t.Error("unexpected body:", rr.Body.String())
 	}
 
@@ -130,12 +132,13 @@ func TestProxyFilteringSubpath(t *testing.T) {
 	if rr.Code != http.StatusNotFound {
 		t.Error("unexpected status", rr.Code)
 	}
-	if !strings.HasPrefix(rr.Body.String(), "request blocked by whitelist-route-regexp") {
+
+	if !strings.HasPrefix(rr.Body.String(), kRequestBlockedAllowFilter) {
 		t.Error("unexpected body:", rr.Body.String())
 	}
 }
 
-func TestProxyWhitelisting(t *testing.T) {
+func TestProxyAllowRouteFiltering(t *testing.T) {
 	defer leaktest.Check(t)()
 
 	hits, rr := performRequest("foo.*", "/foo", "GET", http.StatusOK)

diff --git a/pkg/aws/metadata/server.go b/pkg/aws/metadata/server.go
@@ -34,18 +34,18 @@ type Server struct {
 }
 
 type ServerOptions struct {
-	ListenPort           int
-	MetadataEndpoint     string
-	AllowIPQuery         bool
-	WhitelistRouteRegexp *regexp.Regexp
+	ListenPort       int
+	MetadataEndpoint string
+	AllowIPQuery     bool
+	AllowRouteRegexp *regexp.Regexp
 }
 
 func DefaultOptions() *ServerOptions {
 	return &ServerOptions{
-		MetadataEndpoint:     "http://169.254.169.254",
-		ListenPort:           3100,
-		AllowIPQuery:         false,
-		WhitelistRouteRegexp: regexp.MustCompile("^$"),
+		MetadataEndpoint: "http://169.254.169.254",
+		ListenPort:       3100,
+		AllowIPQuery:     false,
+		AllowRouteRegexp: regexp.MustCompile("^$"),
 	}
 }
 
@@ -75,7 +75,7 @@ func buildHTTPServer(config *ServerOptions, client server.Client) (*http.Server,
 		return nil, err
 	}
 
-	p := newProxyHandler(httputil.NewSingleHostReverseProxy(metadataURL), config.WhitelistRouteRegexp)
+	p := newProxyHandler(httputil.NewSingleHostReverseProxy(metadataURL), config.AllowRouteRegexp)
 	p.Install(router)
 
 	listen := fmt.Sprintf(":%d", config.ListenPort)