[preview env] extend deny egress block

[iQQBot]

Description

From #8336 We added GCP metadata security detection to the Preview environment, so that if GCP metadata is accessible in the workspace, the supervisor will immediately end the process to prevent sensitive information from being leaked.

But if we only block 169.254.169.254, it still can access by HTTP request, I don't know why

Perhaps in GKE, this IP is special and may not be controlled by the network policy

After testing, I found that changing the blocked IP to 169.254.169.254/30 solves the problem, I don't know the exact reason, but it does work

I am not sure this will affect any GKE cluster or just our preview environment, if all GKE clusters affect, I think changing installer network policy is a better way

We have two ways to temporarily alleviate this problem

1. disable metadata detection in the Preview environment
2. use 169.254.169.254/30 as a mitigation measure

This PR use option 2

Related Issue(s)

Fixes #

How to test

Start a workspace, workspace can run

Release Notes

NONE

Documentation

[codecov]

Codecov Report

Merging #8476 (3b6111a) into main (ba168ed) will decrease coverage by 1.13%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #8476      +/-   ##
==========================================
- Coverage   12.31%   11.17%   -1.14%     
==========================================
  Files          20       18       -2     
  Lines        1161      993     -168     
==========================================
- Hits          143      111      -32     
+ Misses       1014      880     -134     
+ Partials        4        2       -2     

Flag	Coverage Δ
components-gitpod-cli-app	11.17% <ø> (ø)
components-local-app-app-darwin-amd64	?
components-local-app-app-darwin-arm64	?
components-local-app-app-linux-amd64	?
components-local-app-app-linux-arm64	?
components-local-app-app-windows-386	?
components-local-app-app-windows-amd64	?
components-local-app-app-windows-arm64	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
components/local-app/pkg/auth/auth.go
components/local-app/pkg/auth/pkce.go

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ba168ed...3b6111a. Read the comment docs.

[iQQBot]

CC @mrsimonemms I am not sure this will affect any GKE cluster or just our preview environment, if all GKE cluster affect, I think changing installer network policy is a better way

[mrsimonemms]

@iQQBot I'm not sure of the underlying cause, but this looks to be ok.

Looking through the code, we have this IP in twice

• workspace (you've got this one in the change)
• image builder mk3 (this isn't changed by your post-processing - should it be?)

[iQQBot]

@mrsimonemms workspace and imagebuild both controlled by network policy workspace-default
in fact, image builder mk3 not need block, because it's our control part, not user control

[iQQBot]

@mrsimonemms can you use GKE start a gitpod cluster, and test it if it can access 169.254.169.254 ?

[mustard-mh]

Test ok, approve to make preview env works