Document the fact that access to cloud metadata is disabled by default

[wookasz]

It's not immediately obvious that iptables are overridden with an init container, blocking access to EC2 metadata.

This should be documented somewhere. Perhaps in https://zero-to-jupyterhub.readthedocs.io/en/latest/amazon/step-zero-aws.html.

[cam72cam]

I'd be happy to write something up, can one of the maintainers assign the ticket to me?

[metonymic-smokey]

@cam72cam are you working on this issue?
@yuvipanda could I pick this issue, if no one else is working on it?

Thanks!

[consideRatio]

@metonymic-smokey as it has passed long time, you can certainly work on this! ❤️!

Note that I think this is a Kubernetes issue in general, at least on GKE as well. I don't understand all this so well either other than we block network access from our user pods to avoid an issue.

[metonymic-smokey]

@consideRatio @wookasz this page in the Security docs touches upon something similar in the Cloud Metadata server security section. It has a brief on how to run iptables in an init container, which could potentially set specific firewall rules for the user pod.

For a start, I've added a brief note about init containers overriding iptables and linked to the page referred above. Would love more pointers on what I could add!

Another issue with the page: The page referred above has some commands misaligned with their code blocks and some minor errors. I've tried to fix those here too.

Thanks!