fix: block wireserver port 32526 for non-host network pods (#4754)

Co-authored-by: anujmaheshwari1 <[email protected]>
Azure · Aug 5, 2024 · e2598a3 · e2598a3
1 parent 0b30482
commit e2598a3
Show file tree

Hide file tree

Showing 240 changed files with 245 additions and 80 deletions.
diff --git a/parts/linux/cloud-init/artifacts/block_wireserver.sh b/parts/linux/cloud-init/artifacts/block_wireserver.sh
@@ -10,4 +10,5 @@
 #
 # Note: we should not block all traffic to 168.63.129.16. For example UDP traffic is still needed
 # for DNS.
-iptables -I FORWARD -d 168.63.129.16 -p tcp -m multiport --dports 80,32526 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
diff --git a/parts/linux/cloud-init/artifacts/cse_config.sh b/parts/linux/cloud-init/artifacts/cse_config.sh
@@ -518,12 +518,15 @@ EOF
 # for TCP protocol (which http uses)
 #
 # 168.63.129.16 contains protected settings that have priviledged info.
+# HostGAPlugin (Host-GuestAgent-Plugin) is a web server process that runs on the physical host that serves the operational and diagnostic needs of the in-VM Guest Agent.
+# IT listens on both port 80 and 32526 hence access is only needed for agent but not the containers.
 #
 # The host can still reach 168.63.129.16 because it goes through the OUTPUT chain, not FORWARD.
 #
 # Note: we should not block all traffic to 168.63.129.16. For example UDP traffic is still needed
 # for DNS.
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     # check if kubelet flags contain image-credential-provider-config and image-credential-provider-bin-dir

diff --git a/parts/linux/cloud-init/nodecustomdata.yml b/parts/linux/cloud-init/nodecustomdata.yml
@@ -392,12 +392,15 @@ write_files:
     # for TCP protocol (which http uses)
     #
     # 168.63.129.16 contains protected settings that have priviledged info.
+    # HostGAPlugin (Host-GuestAgent-Plugin) is a web server process that runs on the physical host that serves the operational and diagnostic needs of the in-VM Guest Agent.  
+    # IT listens on both port 80 and 32526 hence access is only needed for agent but not the containers.
     #
     # The host can still reach 168.63.129.16 because it goes through the OUTPUT chain, not FORWARD.
     #
     # Note: we should not block all traffic to 168.63.129.16. For example UDP traffic is still needed
     # for DNS.
     iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+    iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 
 - path: /etc/kubernetes/certs/ca.crt
   permissions: "0600"

diff --git a/pkg/agent/testdata/AKSUbuntu1604+Containerd/CustomData b/pkg/agent/testdata/AKSUbuntu1604+Containerd/CustomData
diff --git a/...Ubuntu1604+TempDisk+Containerd/line315.sh → ...tdata/AKSUbuntu1604+Containerd/line315.sh b/...Ubuntu1604+TempDisk+Containerd/line315.sh → ...tdata/AKSUbuntu1604+Containerd/line315.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+Containerd/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+Containerd/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+CustomLinuxOSConfig/CustomData b/pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+CustomLinuxOSConfig/CustomData
diff --git a/...AKSUbuntu1604+TempDiskExplicit/line315.sh → ...eletConfig+CustomLinuxOSConfig/line315.sh b/...AKSUbuntu1604+TempDiskExplicit/line315.sh → ...eletConfig+CustomLinuxOSConfig/line315.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+CustomLinuxOSConfig/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+CustomLinuxOSConfig/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+DynamicKubeletConfig/CustomData b/pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+DynamicKubeletConfig/CustomData
diff --git a/...a/AKSUbuntu1604+TempDiskToggle/line315.sh → ...letConfig+DynamicKubeletConfig/line315.sh b/...a/AKSUbuntu1604+TempDiskToggle/line315.sh → ...letConfig+DynamicKubeletConfig/line315.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+DynamicKubeletConfig/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+DynamicKubeletConfig/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=false/CustomData b/pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=false/CustomData
diff --git a/...tdata/AKSUbuntu1604+Containerd/line314.sh → ...sable1804SystemdResolved=false/line315.sh b/...tdata/AKSUbuntu1604+Containerd/line314.sh → ...sable1804SystemdResolved=false/line315.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=false/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=false/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=true/CustomData b/pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=true/CustomData
diff --git a/...eletConfig+CustomLinuxOSConfig/line314.sh → ...isable1804SystemdResolved=true/line315.sh b/...eletConfig+CustomLinuxOSConfig/line314.sh → ...isable1804SystemdResolved=true/line315.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=true/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=true/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+Docker/CustomData b/pkg/agent/testdata/AKSUbuntu1604+Docker/CustomData
diff --git a/...letConfig+DynamicKubeletConfig/line314.sh → .../testdata/AKSUbuntu1604+Docker/line315.sh b/...letConfig+DynamicKubeletConfig/line314.sh → .../testdata/AKSUbuntu1604+Docker/line315.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+Docker/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+Docker/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+DynamicKubeletConfig/CustomData b/pkg/agent/testdata/AKSUbuntu1604+DynamicKubeletConfig/CustomData
diff --git a/...sable1804SystemdResolved=false/line314.sh → ...buntu1604+DynamicKubeletConfig/line315.sh b/...sable1804SystemdResolved=false/line314.sh → ...buntu1604+DynamicKubeletConfig/line315.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+DynamicKubeletConfig/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+DynamicKubeletConfig/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+EnablePrivateClusterHostsConfigAgent/CustomData b/pkg/agent/testdata/AKSUbuntu1604+EnablePrivateClusterHostsConfigAgent/CustomData
diff --git a/...isable1804SystemdResolved=true/line314.sh → ...PrivateClusterHostsConfigAgent/line314.sh b/...isable1804SystemdResolved=true/line314.sh → ...PrivateClusterHostsConfigAgent/line314.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+EnablePrivateClusterHostsConfigAgent/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+EnablePrivateClusterHostsConfigAgent/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+GPUDedicatedVHD/CustomData b/pkg/agent/testdata/AKSUbuntu1604+GPUDedicatedVHD/CustomData
diff --git a/.../testdata/AKSUbuntu1604+Docker/line314.sh → .../AKSUbuntu1604+GPUDedicatedVHD/line322.sh b/.../testdata/AKSUbuntu1604+Docker/line314.sh → .../AKSUbuntu1604+GPUDedicatedVHD/line322.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+GPUDedicatedVHD/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+GPUDedicatedVHD/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+K8S115/CustomData b/pkg/agent/testdata/AKSUbuntu1604+K8S115/CustomData
diff --git a/...buntu1604+DynamicKubeletConfig/line314.sh → .../testdata/AKSUbuntu1604+K8S115/line315.sh b/...buntu1604+DynamicKubeletConfig/line314.sh → .../testdata/AKSUbuntu1604+K8S115/line315.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+K8S115/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+K8S115/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+K8S117/CustomData b/pkg/agent/testdata/AKSUbuntu1604+K8S117/CustomData
diff --git a/.../testdata/AKSUbuntu1604+K8S115/line314.sh → .../testdata/AKSUbuntu1604+K8S117/line314.sh b/.../testdata/AKSUbuntu1604+K8S115/line314.sh → .../testdata/AKSUbuntu1604+K8S117/line314.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+K8S117/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+K8S117/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+K8S118/CustomData b/pkg/agent/testdata/AKSUbuntu1604+K8S118/CustomData
diff --git a/...KSUbuntu1604+KubeletConfigFile/line314.sh → .../testdata/AKSUbuntu1604+K8S118/line314.sh b/...KSUbuntu1604+KubeletConfigFile/line314.sh → .../testdata/AKSUbuntu1604+K8S118/line314.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+K8S118/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+K8S118/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+KubeletConfigFile/CustomData b/pkg/agent/testdata/AKSUbuntu1604+KubeletConfigFile/CustomData
diff --git a/...PrivateClusterHostsConfigAgent/line313.sh → ...KSUbuntu1604+KubeletConfigFile/line315.sh b/...PrivateClusterHostsConfigAgent/line313.sh → ...KSUbuntu1604+KubeletConfigFile/line315.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+KubeletConfigFile/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+KubeletConfigFile/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+OSKubeletDisk/CustomData b/pkg/agent/testdata/AKSUbuntu1604+OSKubeletDisk/CustomData
diff --git a/.../AKSUbuntu1604+GPUDedicatedVHD/line321.sh → ...ta/AKSUbuntu1604+OSKubeletDisk/line315.sh b/.../AKSUbuntu1604+GPUDedicatedVHD/line321.sh → ...ta/AKSUbuntu1604+OSKubeletDisk/line315.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+OSKubeletDisk/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+OSKubeletDisk/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+TempDisk+Containerd/CustomData b/pkg/agent/testdata/AKSUbuntu1604+TempDisk+Containerd/CustomData
diff --git a/.../testdata/AKSUbuntu1604+K8S117/line313.sh → ...Ubuntu1604+TempDisk+Containerd/line316.sh b/.../testdata/AKSUbuntu1604+K8S117/line313.sh → ...Ubuntu1604+TempDisk+Containerd/line316.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+TempDisk+Containerd/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+TempDisk+Containerd/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+TempDiskExplicit/CustomData b/pkg/agent/testdata/AKSUbuntu1604+TempDiskExplicit/CustomData
diff --git a/.../testdata/AKSUbuntu1604+K8S118/line313.sh → ...AKSUbuntu1604+TempDiskExplicit/line316.sh b/.../testdata/AKSUbuntu1604+K8S118/line313.sh → ...AKSUbuntu1604+TempDiskExplicit/line316.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+TempDiskExplicit/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+TempDiskExplicit/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1604+TempDiskToggle/CustomData b/pkg/agent/testdata/AKSUbuntu1604+TempDiskToggle/CustomData
diff --git a/...ta/AKSUbuntu1604+OSKubeletDisk/line314.sh → ...a/AKSUbuntu1604+TempDiskToggle/line316.sh b/...ta/AKSUbuntu1604+OSKubeletDisk/line314.sh → ...a/AKSUbuntu1604+TempDiskToggle/line316.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1604+TempDiskToggle/line70.sh b/pkg/agent/testdata/AKSUbuntu1604+TempDiskToggle/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1804+ArtifactStreaming/CustomData b/pkg/agent/testdata/AKSUbuntu1804+ArtifactStreaming/CustomData
diff --git a/...d+NoCustomKubeImageandBinaries/line314.sh → ...KSUbuntu1804+ArtifactStreaming/line314.sh b/...d+NoCustomKubeImageandBinaries/line314.sh → ...KSUbuntu1804+ArtifactStreaming/line314.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1804+ArtifactStreaming/line70.sh b/pkg/agent/testdata/AKSUbuntu1804+ArtifactStreaming/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd++GPU+runcshimv2/CustomData b/pkg/agent/testdata/AKSUbuntu1804+Containerd++GPU+runcshimv2/CustomData
diff --git a/...untu1804+Containerd+NSeriesSku/line321.sh → ...804+Containerd++GPU+runcshimv2/line321.sh b/...untu1804+Containerd+NSeriesSku/line321.sh → ...804+Containerd++GPU+runcshimv2/line321.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd++GPU+runcshimv2/line70.sh b/pkg/agent/testdata/AKSUbuntu1804+Containerd++GPU+runcshimv2/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+Certsd/CustomData b/pkg/agent/testdata/AKSUbuntu1804+Containerd+Certsd/CustomData
diff --git a/...tomCloud+ootcredentialprovider/line314.sh → ...KSUbuntu1804+Containerd+Certsd/line314.sh b/...tomCloud+ootcredentialprovider/line314.sh → ...KSUbuntu1804+Containerd+Certsd/line314.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+Certsd/line70.sh b/pkg/agent/testdata/AKSUbuntu1804+Containerd+Certsd/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+ContainerdVersion/CustomData b/pkg/agent/testdata/AKSUbuntu1804+Containerd+ContainerdVersion/CustomData
diff --git a/...data/AKSUbuntu2204+CustomCloud/line314.sh → ...4+Containerd+ContainerdVersion/line314.sh b/...data/AKSUbuntu2204+CustomCloud/line314.sh → ...4+Containerd+ContainerdVersion/line314.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+ContainerdVersion/line70.sh b/pkg/agent/testdata/AKSUbuntu1804+Containerd+ContainerdVersion/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+IPAddress+FQDN/CustomData b/pkg/agent/testdata/AKSUbuntu1804+Containerd+IPAddress+FQDN/CustomData
diff --git a/pkg/agent/testdata/RawUbuntu/line314.sh → ...1804+Containerd+IPAddress+FQDN/line314.sh b/pkg/agent/testdata/RawUbuntu/line314.sh → ...1804+Containerd+IPAddress+FQDN/line314.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+IPAddress+FQDN/line70.sh b/pkg/agent/testdata/AKSUbuntu1804+Containerd+IPAddress+FQDN/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+IPMasqAgent/CustomData b/pkg/agent/testdata/AKSUbuntu1804+Containerd+IPMasqAgent/CustomData
diff --git a/...KSUbuntu1804+ArtifactStreaming/line313.sh → ...ntu1804+Containerd+IPMasqAgent/line314.sh b/...KSUbuntu1804+ArtifactStreaming/line313.sh → ...ntu1804+Containerd+IPMasqAgent/line314.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+IPMasqAgent/line70.sh b/pkg/agent/testdata/AKSUbuntu1804+Containerd+IPMasqAgent/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+Kubenet+Calico/CustomData b/pkg/agent/testdata/AKSUbuntu1804+Containerd+Kubenet+Calico/CustomData
diff --git a/...804+Containerd++GPU+runcshimv2/line320.sh → ...1804+Containerd+Kubenet+Calico/line314.sh b/...804+Containerd++GPU+runcshimv2/line320.sh → ...1804+Containerd+Kubenet+Calico/line314.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+Kubenet+Calico/line70.sh b/pkg/agent/testdata/AKSUbuntu1804+Containerd+Kubenet+Calico/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then

diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+Kubenet+FIPSEnabled/CustomData b/pkg/agent/testdata/AKSUbuntu1804+Containerd+Kubenet+FIPSEnabled/CustomData
diff --git a/...KSUbuntu1804+Containerd+Certsd/line313.sh → ...Containerd+Kubenet+FIPSEnabled/line314.sh b/...KSUbuntu1804+Containerd+Certsd/line313.sh → ...Containerd+Kubenet+FIPSEnabled/line314.sh
diff --git a/pkg/agent/testdata/AKSUbuntu1804+Containerd+Kubenet+FIPSEnabled/line70.sh b/pkg/agent/testdata/AKSUbuntu1804+Containerd+Kubenet+FIPSEnabled/line70.sh
@@ -508,6 +508,7 @@ EOF
 #
 #
 iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 32526 -j DROP
 EOF
 
     if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then