[bradfitz]

Even Google's Go client for the GCE metadata uses an IP address:

> Using a fixed IP makes it very difficult to spoof the metadata

https://github.com/googleapis/google-cloud-go/commit/ae56891...

[skj]

Hmm cloud build spoofs it :) if the customer build accessed the underlying VM's metadata it would be very confusing (though not a security issue).

It was not straightforward. I learned a lot about iptables and docker networking.