[kops/template] Fix kops hook installs iptable rule for kiam (#49)

cloudposse-archives · Nov 1, 2019 · 21318ef · 21318ef
1 parent 8c6c5f9
commit 21318ef
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/templates/kops/kops-private-topology.yaml.gotmpl b/templates/kops/kops-private-topology.yaml.gotmpl
@@ -137,14 +137,22 @@ spec:
   # Install iptable entry for kiam which, when kiam is not present, will prevent any access to EC2 metadata
   # NOTE: the interface name (after -i) must be the same as the interface name passed to kiam
   #       and if kiam is not listening on the default 8181 port, you must replace 8181 with the correct port number
-  - after:
-    - network.target
+  - name: kiam-iptables.service
     manifest: |
+      [Unit]
+      Description=Install iptables rule to divert all credential requests to kiam
+      Wants=network-online.target
+      After=network-online.target
+      Before=docker.service
+
+      [Service]
       Type=oneshot
       ExecStart=/bin/sh -c '/sbin/iptables -t nat -A PREROUTING -d 169.254.169.254/32 \
-          -i cali+ -p tcp -m tcp --dport 80 -j DNAT \
-          --to-destination $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4):8181'
-    name: kiam-iptables.service
+        -i cali+ -p tcp -m tcp --dport 80 -j DNAT \
+        --to-destination $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4):8181'
+      RemainAfterExit=yes
+
+    useRawManifest: true
     roles: [Node]
 {{- end }}
 {{- if getenv "TELEPORT_PROXY_DOMAIN_NAME" }}