Closed amit-singh-rathore closed 5 years ago
ryan-lane
commented
5 years ago @amit-singh-rathore Yes, that's the intended behavior. Containers in host mode run on the host network. There's no container IP to map to a particular container, just the host IP. Due to that, metadataproxy has no way of differentiating that container from itself.
amit-singh-rathore
commented
5 years ago Thanks for the update. I was hoping of a way around to do this. any leads on this..
ryan-lane
commented
5 years ago @amit-singh-rathore it could be possible for metadataproxy to do this, but the hardest part is going to be the iptables rules to point host containers (that aren't metadataproxy) at metadataproxy, when they try to talk to the metadata service.
metadataproxy itself is doing reverse lookups of the container IPs in docker to find the IAM_ROLE, but with host networking, you'd end up having multiple containers with the same IP, making it difficult to differentiate them. I think in general you'll have a hard time here.
amit-singh-rathore
commented
5 years ago I am thinking of creating a socket and exposing that to containers similar to /var/run/docker.sock. behind the socket will be trimmed down version of metadataproxy.. and will keep on relaying the credentials to the aws credential process.. how this sounds?
ryan-lane
commented
5 years ago How will you identify the containers, to look up which IAM role they should be assigned?
On Thu, Mar 28, 2019 at 5:48 AM Amit Singh Rathore notifications@github.com wrote:
I am thinking of creating a socket and exposing that to containers similar to /var/run/docker.sock. behind the socket will be trimmed down version of metadataproxy.. and will keep on relaying the credentials to the aws credential process.. how this sounds?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
amit-singh-rathore
commented
5 years ago The approach I am thinking uses credential process. So arguments to it will be passed from the container itself. [default] /var/micro_metaproxy/sock $IAM_ROLE
ryan-lane
commented
5 years ago @amit-singh-rathore gotcha. that means any container would be able to request any role? it's a reasonable approach if you aren't using mdp to limit IAM access
amit-singh-rathore
commented
5 years ago Only those role which are allowed in the Instance profile. I am in a situation where I need to give credentials to Container which are majorly in host mode.
ryan-lane
commented
5 years ago Oh, gotcha. Yeah, those have full host network access and could directly access the metadata service anyway, so no loess of security there.
On Thu, Mar 28, 2019 at 3:13 PM Amit Singh Rathore notifications@github.com wrote:
Only those role which are allowed in the Instance profile. I am in a situation where I need to give credentials to Container which are majorly in host mode.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
amit-singh-rathore
commented
5 years ago I am also looking at alternative of making use of ECS Agent. If it can be used on EC2 outside of the cluster. Since we have task role which are delivered through AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.
I launched metadataproxy container in host mode as per documentation. I launched two more container one with --net=host and other with --net=bridge mode. It works fine with the bridge mode. But, It does not return container credentials mapped to the IAM_ROLE parameter through proxy for the container launched in host mode. It gives back the EC2 role credentials.