Supports use of ! prefix for interface name (#54)

There are some CNI implementations that make use of multiple
Elastic Network Interfaces and secondary IPs to assign pods ips
directly from the VPC ranges. For example:

    https://github.com/aws/amazon-vpc-cni-k8s
    https://github.com/lyft/cni-ipvlan-vpc-k8s

For kiam to function correctly, it is necessary to have an iptables
rule that applies to all of the interfaces that pod traffic may come
from. And since these interfaces may be added and removed on demand,
it is necessary to have DNAT rules that will continue to work as
interfaces come and go.

iptables supports inverted matching for interface names which can be
useful to include all but certain interfaces in rules. For example:

    iptables --append PREROUTING --protocol tcp \
      --destination 169.254.169.254 --dport 80  \
      \! -i loopback   --jump DNAT  --table nat \
      --to-destination 10.100.100.3:8181

will apply the DNAT rule to all interfaces except the loopback.

This change puts the "!" for inverting the interface before the name
of the interface in the rules spec that inverted rules work as
intended.

Author: chris-h-phillips

README.md

@@ -42,7 +42,15 @@ Please also make note of how to configure IAM in your AWS account; notes in [doc
 Kiam is split into two processes that run independently.
 
 ### Agent
-This is the process that would typically be deployed as a DaemonSet to ensure that Pods have no access to the AWS Metadata API. Instead, the agent runs an HTTP proxy which intercepts credentials requests and passes on anything else. 
+This is the process that would typically be deployed as a DaemonSet to ensure that Pods have no access to the AWS Metadata API. Instead, the agent runs an HTTP proxy which intercepts credentials requests and passes on anything else. An DNAT iptables [rule](cmd/agent/iptables.go) is required to intercept the traffic. The agent is capable of adding and removing the required rule for you through use of the `--iptables` [flag](cmd/agent/main.go). This is the name of the interface where pod traffic originates and it is different for the various CNI implementations. The flag also supports the `!` prefix for inverted matches should you need to match all but one interface.
+
+##### Typical CNI Interface Names #####
+
+| CNI | Interface | Notes |
+|-----|-----------|-------|
+| [cni-ipvlan-vpc-k8s](https://github.com/lyft/cni-ipvlan-vpc-k8s) | `!eth0` | This CNI plugin attaches multiple ENIs to the instance. Typically eth1-ethN (N depends on the instance type) are used for pods which leaves eth0 for the kubernetes control plane. The ! prefix on the interface name inverts the match so metadata service traffic from all interfaces except eth0 will be sent to the kiam agent. |
+| [weave](https://www.weave.works/docs/net/latest/kubernetes/kube-addon/) | `weave` |   |
+
 
 ### Server
 This process is responsible for connecting to the Kubernetes API Servers to watch Pods and communicating with AWS STS to request credentials. It also maintains a cache of credentials for roles currently in use by running pods- ensuring that credentials are refreshed every few minutes and stored in advance of Pods needing them.

cmd/agent/iptables.go

@@ -16,6 +16,7 @@ package main
 import (
 	"fmt"
 	"github.com/coreos/go-iptables/iptables"
+	"strings"
 )
 
 type rules struct {
@@ -42,14 +43,19 @@ func (r *rules) Add() error {
 }
 
 func (r *rules) ruleSpec() []string {
-	return []string{
+	rules := []string{
 		"-p", "tcp",
 		"-d", metadataAddress,
 		"--dport", "80",
 		"-j", "DNAT",
 		"--to-destination", r.kiamAddress(),
-		"-i", r.hostInterface,
 	}
+	if strings.HasPrefix(r.hostInterface, "!") {
+		rules = append(rules, "!")
+	}
+	rules = append(rules, "-i", strings.TrimPrefix(r.hostInterface, "!"))
+	
+	return rules
 }
 
 func (r *rules) Remove() error {