Equinix Metal

    Equinix Metal , formerly Packet, is one of the cloud platforms supported by Lokomotive. This document explains various architecture decisions specific to this platform.

    Blocked access to metadata service

    By default, access to Equinix Metal’s metadata service is blocked for all pods. This is to prevent possible exploitation of information provided by the metadata service such as user data, which may contain secrets.

    To allow an application to access the metadata service, you can create a NetworkPolicy selecting the application.

    Here’s a simple NetworkPolicy that allows pods with the label foo: foo to send packets to any IP address including the metadata service.

    For simplicity, this is a very open NetworkPolicy. You should consider creating a more restrictive one for your production clusters.

    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
      name: allow-metadata-access
          foo: foo
      - Egress
      - to:
        - ipBlock:

    Flatcar Linux Customization

    Flatcar Container Linux deployments on Equinix Metal can be customized with Container Linux Configs. For more information, see Flatcar Container Linux Customization .