The Wayback Machine - https://web.archive.org/web/20201110183410/https://github.com/kubernetes/kops/issues/9970
Skip to content

/ kops

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow using AWS Instance Metadata Service Version 2 (IMDSv2) in InstanceGroups #9970

Open
MichaelJDrK opened this issue Sep 18, 2020 · 4 comments
Open

Allow using AWS Instance Metadata Service Version 2 (IMDSv2) in InstanceGroups #9970

MichaelJDrK opened this issue Sep 18, 2020 · 4 comments
Assignees
@ivanlemeshev
Labels
good first issue hacktoberfest

Comments

@MichaelJDrK
Copy link

@MichaelJDrK MichaelJDrK commented Sep 18, 2020

1. Describe IN DETAIL the feature/behavior/change you would like to see.

In AWS EC2 instances there is an Instance Metadata Service with Version 1 and Version 2
(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).

You can enforce usage of IMDSv2 (=disallow v1) setting "HttpTokens" to "required". Or you can turn off IMDS by setting "HttpEndpoint" to "disable".

AWS Foundational Security Best Practices v1.0.0 requires usage of IMDSv2 only with a severity of HIGH (see remediation instructions: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#ec2-8-remediation)

For compliance and security reasons it should be possible to change this setting for an instancegroup (like "httpTokens: required" or something like that.
@rifelpet
Copy link
Member

@rifelpet rifelpet commented Oct 5, 2020
edited

I think this would be pretty straight forward to add. The main decision would be around the new API fields and their names. AWS, GCP, and Alibaba cloud use the term instance metadata, DO uses droplet metadata and Openstack seems to just use metadata. I think we could settle on instanceMetadata as a new section in the InstanceGroupSpec. I didn't want to just use metadata because it could be confused with the cluster resource's metadata itself.

spec:
  instanceMetadata:
    httpPutResponseHopLimit: 1
    httpTokens: required

Some kops and k8s components require access to instance metadata, so I don't think we should support disabling it altogether but we could definitely support requiring IMDSv2 (httpTokens = required) and adjusting the hop limit.

I think adding this would be pretty straight forward and roughly follow the docs we have.

  • API + validation updates. If the new values are set:

    • Ensure we're on AWS
    • Ensure the LaunchTemplates feature flag isn't disabled which would fallback to launch configurations which don't support IMDSv2.

  • Add the new fields to the LaunchTemplate task and pass it into the aws api call

  • Add terraform and cloudformation support to include the new fields in their types

  • Plumb the values from the API into the LT tasks in the model.

  • Update the complex integration test to use the new fields and run ./hack/updated-expected.sh to confirm the new values end up in the terraform and cloudformation outputs.

I'm happy to provide more assistance if anyone wants to take this on 👍
@ivanlemeshev
Copy link

@ivanlemeshev ivanlemeshev commented Oct 7, 2020

Hi @rifelpet I would like to take this issue. Could you assign it to me?
@rifelpet
Copy link
Member

@rifelpet rifelpet commented Oct 7, 2020

/assign @ivanlemeshev
@rifelpet
Copy link
Member

@rifelpet rifelpet commented Oct 14, 2020

@ivanlemeshev do you need any assistance with this? Just checking in
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue hacktoberfest
3 participants
@rifelpet @ivanlemeshev @MichaelJDrK
You can’t perform that action at this time.