Block Metadata Service

This is a feature request.

Please add a way to block access to rancher-metadata from a container. Perhaps with a label in the docker-compose.yml?

Reasoning:

Disallowing information of the host from being available to untrusted users accessing the container. Per-environment isolation cannot help in this case, since that’s made for isolating users from each other.

Use case:

I am allowing untrusted users to access containers, while routing all their Internet traffic via proxy. Having access to rancher-metadata effectively allows the user to get the host’s real IP. That can expose the host to attacks like DDOS etc.

If rancher-metadata can be made unavailable to (some) containers, the “information leak” problem gets solved easily. As it is, I can’t think of a way to resolve it.

Can you file a Github issue for this feature request?