From 4606073f9b8856ca0ebe5adf3f313bdecf22b71e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Sodr=C3=A9?= Date: Tue, 19 Nov 2019 07:06:09 -0500 Subject: [PATCH 1/2] Support secure AWS Task IAM Roles The [Task IAM Rules] were extracted verbatim from the Amazon documentation [steps 5, 6, and 7]( https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-install.html) The latter two rules were adapted from [Amazon documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html) so that system-docker traffic retains access to the instance-metadata, while traffic from user-docker does not. This documentation change is not sufficient to get Task IAM Roles to work, it requires a modification to the amazon-ecs-agent service, which will follow in a separate commit. --- .../v1.x/en/installation/amazon-ecs/_index.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/content/os/v1.x/en/installation/amazon-ecs/_index.md b/content/os/v1.x/en/installation/amazon-ecs/_index.md index fa8bee8a8e..8ecf2670a4 100644 --- a/content/os/v1.x/en/installation/amazon-ecs/_index.md +++ b/content/os/v1.x/en/installation/amazon-ecs/_index.md @@ -28,7 +28,16 @@ rancher: ECS_AVAILABLE_LOGGING_DRIVERS: |- ["json-file","awslogs"] # If you have selected a RancherOS AMI that does not have ECS enabled by default, -# you'll need to enable the system service for the ECS agent. +# you'll need to enable the system service for the ECS agent, and configure the +# iptables rules. + sysctl: + net.ipv4.conf.all.route_localnet: 1 + network: + post_cmds: + - iptables -t nat -A PREROUTING -p tcp -d 169.254.170.2 --dport 80 -j DNAT --to-destination 127.0.0.1:51679 + - iptables -t nat -A OUTPUT -d 169.254.170.2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 51679 + - iptables --insert DOCKER-USER 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP + - iptables --insert DOCKER-USER 1 --in-interface docker-sys --destination 169.254.169.254/32 --jump ACCEPT services_include: amazon-ecs-agent: true ``` @@ -48,6 +57,14 @@ rancher: ECS_AGENT_VERSION: :v1.9.0 # If you have selected a RancherOS AMI that does not have ECS enabled by default, # you'll need to enable the system service for the ECS agent. + sysctl: + net.ipv4.conf.all.route_localnet: 1 + network: + post_cmds: + - iptables -t nat -A PREROUTING -p tcp -d 169.254.170.2 --dport 80 -j DNAT --to-destination 127.0.0.1:51679 + - iptables -t nat -A OUTPUT -d 169.254.170.2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 51679 + - iptables --insert DOCKER-USER 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP + - iptables --insert DOCKER-USER 1 --in-interface docker-sys --destination 169.254.169.254/32 --jump ACCEPT services_include: amazon-ecs-agent: true ``` From 50d713ad1080f2d8385685d7882e9743db3b4cbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Sodr=C3=A9?= Date: Thu, 21 Nov 2019 00:17:10 -0500 Subject: [PATCH 2/2] Match language --- content/os/v1.x/en/installation/amazon-ecs/_index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/os/v1.x/en/installation/amazon-ecs/_index.md b/content/os/v1.x/en/installation/amazon-ecs/_index.md index 8ecf2670a4..d4d8944d2c 100644 --- a/content/os/v1.x/en/installation/amazon-ecs/_index.md +++ b/content/os/v1.x/en/installation/amazon-ecs/_index.md @@ -56,7 +56,8 @@ rancher: # Note: You will need to make sure to include the colon in front of the version. ECS_AGENT_VERSION: :v1.9.0 # If you have selected a RancherOS AMI that does not have ECS enabled by default, - # you'll need to enable the system service for the ECS agent. + # you'll need to enable the system service for the ECS agent and configure the + # iptables rules. sysctl: net.ipv4.conf.all.route_localnet: 1 network: