From b3a60d3bc24e690b033fabd0148c589baf685fc5 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Tue, 27 Apr 2021 10:44:23 +0200 Subject: [PATCH] Set IMDSv2 on by default for nodes Bastion, nodes, and api servers get limit of 1 API servers tend to run pods requiring metadata access. The hop limit depends on CNI, but all should work with a limit of 3. --- docs/releases/1.22-NOTES.md | 14 +++++++++ .../minimal-1.22/expected-v1alpha2.yaml | 6 ++++ upup/pkg/fi/cloudup/new_cluster.go | 29 +++++++++++++++++++ 3 files changed, 49 insertions(+) diff --git a/docs/releases/1.22-NOTES.md b/docs/releases/1.22-NOTES.md index 41d316c085..f6f95e7eef 100644 --- a/docs/releases/1.22-NOTES.md +++ b/docs/releases/1.22-NOTES.md @@ -6,6 +6,20 @@ This is a document to gather the release notes prior to the release. # Significant changes +## Instance metadata service version 2 + + On AWS, kOps will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) by default with a max-hop-limit of 1 on new clusters that use Kubernetes 1.22. This means that any container running in the cluster will be unable to connect to the instance metadata _unless_ the container is running with `hostNetworking: true`. This will increase security by default, but may break some types of workloads. In order to revert to old behavior, add the following to the InstanceGroup: + +``` +spec: + instanceMetadata: + httpTokens: optional +``` + +This change only affects dedicated API server nodes and worker nodes. It does not affect control plane nodes. + +## Other significant changes + * New clusters running Kubernetes 1.22 will have AWS EBS CSI driver enabled by default. # Breaking changes diff --git a/tests/integration/create_cluster/minimal-1.22/expected-v1alpha2.yaml b/tests/integration/create_cluster/minimal-1.22/expected-v1alpha2.yaml index c70687c0d1..118c42ce3c 100644 --- a/tests/integration/create_cluster/minimal-1.22/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/minimal-1.22/expected-v1alpha2.yaml @@ -66,6 +66,9 @@ metadata: name: master-us-test-1a spec: image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210415 + instanceMetadata: + httpPutResponseHopLimit: 3 + httpTokens: required machineType: m3.medium maxSize: 1 minSize: 1 @@ -86,6 +89,9 @@ metadata: name: nodes-us-test-1a spec: image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210415 + instanceMetadata: + httpPutResponseHopLimit: 1 + httpTokens: required machineType: t2.medium maxSize: 1 minSize: 1 diff --git a/upup/pkg/fi/cloudup/new_cluster.go b/upup/pkg/fi/cloudup/new_cluster.go index 8a76cc0946..4e4f6e5ace 100644 --- a/upup/pkg/fi/cloudup/new_cluster.go +++ b/upup/pkg/fi/cloudup/new_cluster.go @@ -693,6 +693,13 @@ func setupMasters(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetMap g.Spec.Zones = []string{zone} } + if cluster.IsKubernetesGTE("1.22") { + g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{ + HTTPPutResponseHopLimit: fi.Int64(3), + HTTPTokens: fi.String("required"), + } + } + masters = append(masters, g) } } @@ -807,6 +814,13 @@ func setupNodes(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetMap ma g.Spec.Zones = []string{zone} } + if cluster.IsKubernetesGTE("1.22") { + g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{ + HTTPPutResponseHopLimit: fi.Int64(1), + HTTPTokens: fi.String("required"), + } + } + nodes = append(nodes, g) } @@ -848,6 +862,13 @@ func setupAPIServers(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetM g.Spec.Zones = []string{zone} } + if cluster.IsKubernetesGTE("1.22") { + g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{ + HTTPPutResponseHopLimit: fi.Int64(1), + HTTPTokens: fi.String("required"), + } + } + nodes = append(nodes, g) } @@ -998,6 +1019,14 @@ func setupTopology(opt *NewClusterOptions, cluster *api.Cluster, allZones sets.S if api.CloudProviderID(cluster.Spec.CloudProvider) == api.CloudProviderGCE { bastionGroup.Spec.Zones = allZones.List() } + + if cluster.IsKubernetesGTE("1.22") { + bastionGroup.Spec.InstanceMetadata = &api.InstanceMetadataOptions{ + HTTPPutResponseHopLimit: fi.Int64(1), + HTTPTokens: fi.String("required"), + } + } + } default: