helm repo add projectcalico <https://docs.tigera.io/calico/charts>
kubectl create namespace tigera-operator
helm install calico projectcalico/tigera-operator --version v3.29.1 --namespace tigera-operator
curl -L <https://github.com/projectcalico/calico/releases/download/v3.29.1/calicoctl-linux-amd64> -o kubectl-calico
chmod +x kubectl-calico
sudo mv kubectl-calico /usr/local/bin/calicoctl
apiVersion: v1
kind: Pod
metadata:
name: aws
namespace: default
spec:
containers:
- name: aws
image: amazon/aws-cli:latest
command:
- sleep
- "3600"
imagePullPolicy: IfNotPresent
restartPolicy: Always
kubectl apply -f aws-cli.yaml
kubectl exec -it aws -- aws sts get-caller-identity
INSTANCE1_ID=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=skills-app-node" --query 'Reservations[0].Instances[0].InstanceId' --output json | jq -r .)
INSTANCE2_ID=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=skills-app-node" --query 'Reservations[1].Instances[0].InstanceId' --output json | jq -r .)
aws ec2 describe-instances --instance-ids $INSTANCE1_ID --output table --query 'Reservations[].Instances[].[{EC2: InstanceId, Token: MetadataOptions.HttpTokens, State: MetadataOptions.State, HopCount: MetadataOptions.HttpPutResponseHopLimit}]'
aws ec2 describe-instances --instance-ids $INSTANCE2_ID --output table --query 'Reservations[].Instances[].[{EC2: InstanceId, Token: MetadataOptions.HttpTokens, State: MetadataOptions.State, HopCount: MetadataOptions.HttpPutResponseHopLimit}]'
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: block-imds-access
spec:
selector: all()
egress:
- action: Deny
protocol: TCP
destination:
nets:
- 169.254.169.254/32
- action: Allow
destination:
nets:
- 0.0.0.0/0
kubectl apply -f restrict-imds-call.yaml
kubectl exec -it aws -- aws sts get-caller-identity
