csantanapr · October 23, 2023 01:35
diff --git a/deny-access-sidecar.yaml b/deny-access-sidecar.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: test
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      labels:
        app: test
    spec:
      initContainers:
      - name: modify-route
        image: csantanapr/go-curl@sha256:3238673b7419dcefff7666aa1cbe92b60bf24ad5670fe6f2da18515790695848
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
        env:
        - name: SERVING_POD_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        command: ["/bin/sh", "-c"]
        args:
        - |
          iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 8012 -j DROP
          echo "iptables -A OUTPUT -p tcp -d $SERVING_POD_IP --dport 8012 -j DROP"
          iptables -A OUTPUT -p tcp -d $SERVING_POD_IP --dport 8012 -j DROP
      containers:
      - name: queue-proxy
        image: csantanapr/go-curl@sha256:3238673b7419dcefff7666aa1cbe92b60bf24ad5670fe6f2da18515790695848
        env:
        - name: SERVING_POD_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        command: ["/bin/sh", "-c"]
        args:
        - |
          cat << 'EOF' > main.go
          package main

          import (
            "io"
            "net/http"
            "os"
          )

          func main() {
            http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
              r.RequestURI = ""
              r.URL.Scheme = "http"
              r.URL.Host = "localhost:8080"
              println("forwarded to " + r.URL.Scheme + "//" + r.URL.Host)
              resp, _ := http.DefaultClient.Do(r)
              defer resp.Body.Close()
              w.WriteHeader(resp.StatusCode)
              io.Copy(w, resp.Body)
            })

            // read environment variable IP_ADDRESS into a variable
            ipAddress := os.Getenv("SERVING_POD_IP")
            println("listening on " + ipAddress + ":8012")
            http.ListenAndServe(ipAddress+":8012", nil)
          }
          EOF
          go mod init main
          go mod tidy
          go run .
      - name: user-container
        image: csantanapr/go-curl@sha256:3238673b7419dcefff7666aa1cbe92b60bf24ad5670fe6f2da18515790695848
        command: ["/bin/sh", "-c"]
        args:
        - |
          cat << 'EOF' > main.go
          package main

          import (
            "io"
            "net/http"
          )

          func main() {
            http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
              io.WriteString(w, "Hello, World\n")
            })
            //print listening on port 8080
            println("listening on port 8080")
            http.ListenAndServe(":8080", nil)
          }
          EOF
          go mod init main
          go mod tidy
          go run .
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: test
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: test
	template:
	metadata:
	labels:
	app: test
	spec:
	initContainers:
	- name: modify-route
	image: csantanapr/go-curl@sha256:3238673b7419dcefff7666aa1cbe92b60bf24ad5670fe6f2da18515790695848
	securityContext:
	capabilities:
	add:
	- NET_ADMIN
	env:
	- name: SERVING_POD_IP
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: status.podIP
	command: ["/bin/sh", "-c"]
	args:
	- \|
	iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 8012 -j DROP
	echo "iptables -A OUTPUT -p tcp -d $SERVING_POD_IP --dport 8012 -j DROP"
	iptables -A OUTPUT -p tcp -d $SERVING_POD_IP --dport 8012 -j DROP
	containers:
	- name: queue-proxy
	image: csantanapr/go-curl@sha256:3238673b7419dcefff7666aa1cbe92b60bf24ad5670fe6f2da18515790695848
	env:
	- name: SERVING_POD_IP
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: status.podIP
	command: ["/bin/sh", "-c"]
	args:
	- \|
	cat << 'EOF' > main.go
	package main

	import (
	"io"
	"net/http"
	"os"
	)

	func main() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
	r.RequestURI = ""
	r.URL.Scheme = "http"
	r.URL.Host = "localhost:8080"
	println("forwarded to " + r.URL.Scheme + "//" + r.URL.Host)
	resp, _ := http.DefaultClient.Do(r)
	defer resp.Body.Close()
	w.WriteHeader(resp.StatusCode)
	io.Copy(w, resp.Body)
	})

	// read environment variable IP_ADDRESS into a variable
	ipAddress := os.Getenv("SERVING_POD_IP")
	println("listening on " + ipAddress + ":8012")
	http.ListenAndServe(ipAddress+":8012", nil)
	}
	EOF
	go mod init main
	go mod tidy
	go run .
	- name: user-container
	image: csantanapr/go-curl@sha256:3238673b7419dcefff7666aa1cbe92b60bf24ad5670fe6f2da18515790695848
	command: ["/bin/sh", "-c"]
	args:
	- \|
	cat << 'EOF' > main.go
	package main

	import (
	"io"
	"net/http"
	)

	func main() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
	io.WriteString(w, "Hello, World\n")
	})
	//print listening on port 8080
	println("listening on port 8080")
	http.ListenAndServe(":8080", nil)
	}
	EOF
	go mod init main
	go mod tidy
	go run .