Block GKE/GCE metadata service on move to Google Cloud

[Omeryl]

The metadata service on GKE/GCE provides a plethora of rather helpful, but sensitive, information to the host machine. This data can be accessed over HTTP, so it is preferable to block it in containers.

For example:

/ # curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes" && echo
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/trace.append

/ # curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" && echo
{"access_token":"redacted","expires_in":1963,"token_type":"Bearer"}

The issue kubernetes/kubernetes#8867 tracks this problem. The best course of action is to block 169.254.169.254 in containers and changing the resolver for containers (not the host machine, as this breaks GKE) to 8.8.8.8.

[progrium]

Beta is running on GCE using latest Dockerbox and this is resolved. Can you confirm @Omeryl? Try using beta.cmd.io ...

[Omeryl]

Best I can tell, it's all cleaned up. 👍