@@ -161,16 +161,18 @@ func setHostOptions(nwCfg *cni.NetworkConfig, hostSubnetPrefix *net.IPNet, ncSub
161161 }
162162
163163 azureDNSMatch := fmt .Sprintf (" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d" , ncSubnetPrefix .String (), iptables .AzureDNS , iptables .UDP , iptables .DNSPort )
164+ azureIMDSMatch := fmt .Sprintf (" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d" , ncSubnetPrefix .String (), iptables .AzureIMDS , iptables .TCP , iptables .HTTPPort )
164165
165- // TODO remove this rule once we remove adding MASQUEARDE from AgentBaker, check below PR
166- // https://github.com/Azure/AgentBaker/pull/367/files
167- podTrafficAccept := fmt .Sprintf (" -m iprange ! --dst-range 168.63.129.16-168.63.129.16 -s %s " , ncSubnetPrefix .String ())
168166 snatPrimaryIPJump := fmt .Sprintf ("%s --to %s" , iptables .Snat , info .ncPrimaryIP )
167+ // we need to snat IMDS traffic to node IP, this sets up snat '--to'
168+ snatHostIPJump := fmt .Sprintf ("%s --to %s" , iptables .Snat , info .hostPrimaryIP )
169169 options [network .IPTablesKey ] = []iptables.IPTableEntry {
170170 iptables .GetCreateChainCmd (iptables .V4 , iptables .Nat , iptables .Swift ),
171- iptables .GetInsertIptableRuleCmd (iptables .V4 , iptables .Nat , iptables .Postrouting , podTrafficAccept , iptables .Accept ),
172171 iptables .GetAppendIptableRuleCmd (iptables .V4 , iptables .Nat , iptables .Postrouting , "" , iptables .Swift ),
172+ // add a snat rule to primary NC IP for DNS
173173 iptables .GetInsertIptableRuleCmd (iptables .V4 , iptables .Nat , iptables .Swift , azureDNSMatch , snatPrimaryIPJump ),
174+ // add a snat rule to node IP for IMDS http traffic
175+ iptables .GetInsertIptableRuleCmd (iptables .V4 , iptables .Nat , iptables .Swift , azureIMDSMatch , snatHostIPJump ),
174176 }
175177
176178 return nil
0 commit comments