kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make relnotes match the new max hop limit IMDS behaviour

This commit is contained in:
Ole Markus With 2021-06-06 11:23:50 +02:00
parent ff9d0c8766
commit 6115afd4f5
3 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/iam_roles.md
View File

@ -2,8 +2,11 @@
By default kOps creates two IAM roles for the cluster: one for the masters, and one for the nodes.
> Please note that currently all Pods running on your cluster have access to the instance IAM role.
> Consider using projects such as [kube2iam](https://github.com/jtblin/kube2iam) to prevent that.
> As of kOps 1.22, new clusters running Kubernetes 1.22 on AWS will restrict Pod access to the instance metadata service.
> This means that Pods will also be prevented from directly assuming instance roles.
> See [IAM Roles for ServiceAccounts](/cluster_spec/#service-account-issuer-discovery-and-aws-iam-roles-for-service-accounts-irsa) and [instance metadata](/instance_groups/#instancemetadata) documentation.
> Before this, all Pods running on your cluster have access to the instance IAM role.
> Consider enabling the protection mentioned above and use IRSA for your own workloads.
## Access to AWS EC2 Container Registry (ECR)

4
docs/instance_groups.md
View File

@ -47,7 +47,9 @@ spec:
## instanceMetadata
By default, both IMDSv1 and IMDSv2 are enabled. The instance metadata service can be configured to allow only IMDSv2.
By default IMDSv2 are enabled as of kOps 1.22 on new clusters using Kubernetes 1.22. The default hop limit is 3 on control plane nodes, and 1 on other roles.
On other versions, you can enable IMDSv2 like this:
```YAML
spec:

9
docs/releases/1.22-NOTES.md
View File

@ -8,7 +8,12 @@ This is a document to gather the release notes prior to the release.
## Instance metadata service version 2
On AWS, kOps will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) by default with a max-hop-limit of 1 on new clusters that use Kubernetes 1.22. This means that any container running in the cluster will be unable to connect to the instance metadata _unless_ the container is running with `hostNetworking: true`. This will increase security by default, but may break some types of workloads. In order to revert to old behavior, add the following to the InstanceGroup:
On AWS, kOps will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) and require tokens on new clusters with Kubernetes 1.22. In addition, the following max hop limits will be set by default:
* worker and API server Nodes, and bastions, will have a limit of 1 hop.
* control plane nodes will have a limit of 3 hops to accommodate for controller Pods without host networking that need to assume roles.
This will increase security by default, but may break some types of workloads. In order to revert to old behavior, add the following to the InstanceGroup:
```
spec:
@ -16,8 +21,6 @@ spec:
httpTokens: optional
```
This change only affects dedicated API server nodes and worker nodes. It does not affect control plane nodes.
## Other significant changes
* New clusters running Kubernetes 1.22 will have AWS EBS CSI driver enabled by default.