ams0 · March 3, 2020 14:22
diff --git a/Pod and node metadata AKS.txt b/Pod and node metadata AKS.txt
 Every pod can do (https://github.com/cloudbooster/Azure-Instance-Metadata/blob/master/Instance-Metadata.md):

 curl -H Metadata:true http://169.254.169.254/metadata/instance?api-version=2017-03-01

 and get info on the node etc, even identity

 az vmss identity assign -g MC_K8S_NFS_WESTEUROPE -n aks-base-11322803-vmss

 curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s

 Block by:

 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: deny-metadata-server
 spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 169.254.169.254/32
        - 51.138.69.49/32
        
 apiVersion: crd.projectcalico.org/v1
 kind: GlobalNetworkPolicy
 metadata:
  name: default-deny
 spec:
  selector: all()
  types:
  - Egress 
  egress:    
    - action: Deny
      destination:
        nets:
        - 169.254.169.254/32
	Every pod can do (https://github.com/cloudbooster/Azure-Instance-Metadata/blob/master/Instance-Metadata.md):

	curl -H Metadata:true http://169.254.169.254/metadata/instance?api-version=2017-03-01

	and get info on the node etc, even identity

	az vmss identity assign -g MC_K8S_NFS_WESTEUROPE -n aks-base-11322803-vmss

	curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s

	Block by:

	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: deny-metadata-server
	spec:
	podSelector: {}
	policyTypes:
	- Egress
	egress:
	- to:
	- ipBlock:
	cidr: 0.0.0.0/0
	except:
	- 169.254.169.254/32
	- 51.138.69.49/32

	apiVersion: crd.projectcalico.org/v1
	kind: GlobalNetworkPolicy
	metadata:
	name: default-deny
	spec:
	selector: all()
	types:
	- Egress
	egress:
	- action: Deny
	destination:
	nets:
	- 169.254.169.254/32