[Feature] Optimize Cloud Metadata Service Blocking Performance #279
Description
Is your feature request related to a problem? Please describe.
The current implementation of the block-access-to-metadata-service built-in rule in the BPF enforcer creates network connection rules for all major cloud providers' metadata services. This approach results in performance overhead as every network connection attempt is checked against multiple IP addresses, even when the workload is only running on a specific cloud platform.
Describe the solution you'd like
Split the metadata service blocking functionality into separate built-in rules for different cloud vendors. This would allow users to enable only the specific cloud provider rules they need, reducing the performance impact of unnecessary network rule checks.
Proposed implementation:
- Create individual rules for each cloud provider (AWS, GCP, Azure, Aliyun, Volc Engine, etc.)
- Maintain backward compatibility by keeping the existing combined rule
- Allow users to enable specific cloud provider rules based on their deployment environment
Describe alternatives you've considered
- Current approach: Single rule covering all cloud providers - simple but inefficient
- Dynamic detection: Automatically detect cloud environment and apply relevant rules - complex and may not be reliable
- Configuration-based: Allow users to specify which cloud providers to block via configuration - more flexible but requires user input
The proposed solution of splitting into separate rules provides the best balance of performance optimization and usability.
Additional context
This feature would significantly improve the performance of workloads that use metadata service blocking rules, especially in environments where only one or two cloud providers are relevant.