kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14879 from hakman/aws_imds_all_clusters 

aws: Set IMDS defaults for existing clusters
This commit is contained in:
Kubernetes Prow Robot 2023-01-10 22:25:19 -08:00 committed by GitHub
parent 9303a40dbe f490b27e39
commit d247c0b37d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
56 changed files with 110 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/instance_groups.md
View File

@ -47,9 +47,9 @@ spec:
## instanceMetadata
By default IMDSv2 are enabled as of kOps 1.22 on new clusters using Kubernetes 1.22. The default hop limit is 3 on control plane nodes, and 1 on other roles.
By default, IMDSv2 is enabled for newly created clusters. The default hop limit is 1 for all node roles, except for control plane nodes with Kubernetes version lower than 1.26 or IRSA disabled, for which the default hop limit is 3. As of Kubernetes 1.27, these defaults are applied to existing clusters also.
On other versions, you can enable IMDSv2 like this:
To enable IMDSv2 add the following configuration to the instance group:
```YAML
spec:
@ -58,6 +58,14 @@ spec:
httpTokens: required
```
To disable IMDSv2 add the following configuration to the instance group:
```YAML
spec:
instanceMetadata:
httpTokens: optional
```
## externalLoadBalancers
Instance groups can be linked to up to 10 load balancers. When attached, any instance launched will

2
docs/releases/1.27-NOTES.md
View File

@ -8,6 +8,8 @@ This is a document to gather the release notes prior to the release.
## AWS
* As of Kubernetes version 1.27, all nodes will default to running with the instance metadata service enabled, with max hop limit of 1. Control plane nodes with IRSA disabled will default to running with a max hop limit of 3.
## GCP
# Breaking changes

6
pkg/model/awsmodel/autoscalinggroup.go
View File

@ -185,7 +185,7 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchTemplateTask(c *fi.CloudupMode
Lifecycle: b.Lifecycle,
CPUCredits: fi.PtrTo(fi.ValueOf(ig.Spec.CPUCredits)),
HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
HTTPTokens: fi.PtrTo(ec2.LaunchTemplateHttpTokensStateOptional),
HTTPTokens: fi.PtrTo(ec2.LaunchTemplateHttpTokensStateRequired),
HTTPProtocolIPv6: fi.PtrTo(ec2.LaunchTemplateInstanceMetadataProtocolIpv6Disabled),
IAMInstanceProfile: link,
ImageID: fi.PtrTo(ig.Spec.Image),
@ -288,10 +288,14 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchTemplateTask(c *fi.CloudupMode
if ig.Spec.InstanceMetadata != nil && ig.Spec.InstanceMetadata.HTTPPutResponseHopLimit != nil {
lt.HTTPPutResponseHopLimit = ig.Spec.InstanceMetadata.HTTPPutResponseHopLimit
} else if ig.IsControlPlane() && (b.Cluster.IsKubernetesLT("1.26") || !b.UseServiceAccountExternalPermissions()) {
lt.HTTPPutResponseHopLimit = fi.PtrTo[int64](3)
}
if ig.Spec.InstanceMetadata != nil && ig.Spec.InstanceMetadata.HTTPTokens != nil {
lt.HTTPTokens = ig.Spec.InstanceMetadata.HTTPTokens
} else if b.IsKubernetesLT("1.27") {
lt.HTTPTokens = fi.PtrTo(ec2.LaunchTemplateHttpTokensStateOptional)
}
if rootVolumeType == ec2.VolumeTypeIo1 || rootVolumeType == ec2.VolumeTypeIo2 {

2
tests/integration/update_cluster/apiservernodes/kubernetes.tf
View File

@ -522,7 +522,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf
View File

@ -543,7 +543,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-bastionuserdata-exampl
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/compress/kubernetes.tf
View File

@ -322,7 +322,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-compress-example-com"
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/containerd-custom/kubernetes.tf
View File

@ -333,7 +333,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-containerd-example-com
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/containerd/kubernetes.tf
View File

@ -333,7 +333,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-containerd-example-com
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/digit/kubernetes.tf
View File

@ -409,7 +409,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-123-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/docker-custom/kubernetes.tf
View File

@ -348,7 +348,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-docker-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

6
tests/integration/update_cluster/existing_iam/kubernetes.tf
View File

@ -459,7 +459,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-existing-iam-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {
@ -542,7 +542,7 @@ resource "aws_launch_template" "master-us-test-1b-masters-existing-iam-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {
@ -625,7 +625,7 @@ resource "aws_launch_template" "master-us-test-1c-masters-existing-iam-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

6
tests/integration/update_cluster/existing_sg/kubernetes.tf
View File

@ -562,7 +562,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-existingsg-example-com
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {
@ -645,7 +645,7 @@ resource "aws_launch_template" "master-us-test-1b-masters-existingsg-example-com
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {
@ -728,7 +728,7 @@ resource "aws_launch_template" "master-us-test-1c-masters-existingsg-example-com
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/external_dns/kubernetes.tf
View File

@ -333,7 +333,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/externallb/kubernetes.tf
View File

@ -337,7 +337,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-externallb-example-com
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/externalpolicies/kubernetes.tf
View File

@ -411,7 +411,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-externalpolicies-examp
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

6
tests/integration/update_cluster/ha/kubernetes.tf
View File

@ -531,7 +531,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-ha-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {
@ -614,7 +614,7 @@ resource "aws_launch_template" "master-us-test-1b-masters-ha-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {
@ -697,7 +697,7 @@ resource "aws_launch_template" "master-us-test-1c-masters-ha-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/irsa/kubernetes.tf
View File

@ -436,7 +436,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/karpenter/kubernetes.tf
View File

@ -610,7 +610,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf
View File

@ -623,7 +623,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/many-addons-ccm-irsa24/kubernetes.tf
View File

@ -608,7 +608,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/many-addons-ccm-irsa25/kubernetes.tf
View File

@ -608,7 +608,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/many-addons-ccm/kubernetes.tf
View File

@ -434,7 +434,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/many-addons/kubernetes.tf
View File

@ -419,7 +419,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/minimal-etcd/kubernetes.tf
View File

@ -333,7 +333,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-etcd-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/minimal-gp3/kubernetes.tf
View File

@ -329,7 +329,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/minimal-ipv6-calico/kubernetes.tf
View File

@ -396,7 +396,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-ipv6-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "enabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/minimal-ipv6-cilium/kubernetes.tf
View File

@ -396,7 +396,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-ipv6-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "enabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/minimal-ipv6-no-subnet-prefix/kubernetes.tf
View File

@ -396,7 +396,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-ipv6-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "enabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/minimal-ipv6/kubernetes.tf
View File

@ -396,7 +396,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-ipv6-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "enabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/minimal-longclustername/kubernetes.tf
View File

@ -333,7 +333,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-this-is-truly-a-really
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/minimal-warmpool/kubernetes.tf
View File

@ -341,7 +341,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-warmpool-examp
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/minimal/kubernetes.tf
View File

@ -333,7 +333,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/minimal_gossip/kubernetes.tf
View File

@ -333,7 +333,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-k8s-local" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

6
tests/integration/update_cluster/mixed_instances/kubernetes.tf
View File

@ -549,7 +549,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-mixedinstances-example
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {
@ -632,7 +632,7 @@ resource "aws_launch_template" "master-us-test-1b-masters-mixedinstances-example
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {
@ -715,7 +715,7 @@ resource "aws_launch_template" "master-us-test-1c-masters-mixedinstances-example
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

6
tests/integration/update_cluster/mixed_instances_spot/kubernetes.tf
View File

@ -549,7 +549,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-mixedinstances-example
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {
@ -632,7 +632,7 @@ resource "aws_launch_template" "master-us-test-1b-masters-mixedinstances-example
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {
@ -715,7 +715,7 @@ resource "aws_launch_template" "master-us-test-1c-masters-mixedinstances-example
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/nth-imds-processor/kubernetes.tf
View File

@ -333,7 +333,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-nthimdsprocessor-longc
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/nvidia/kubernetes.tf
View File

@ -338,7 +338,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/private-shared-ip/kubernetes.tf
View File

@ -524,7 +524,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-private-shared-ip-exam
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/private-shared-subnet/kubernetes.tf
View File

@ -519,7 +519,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-private-shared-subnet-
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/privatecanal/kubernetes.tf
View File

@ -542,7 +542,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatecanal-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/privatecilium-eni/kubernetes.tf
View File

@ -542,7 +542,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatecilium-example-
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/privatecilium/kubernetes.tf
View File

@ -542,7 +542,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatecilium-example-
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/privatecilium2/kubernetes.tf
View File

@ -542,7 +542,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatecilium-example-
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf
View File

@ -559,7 +559,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privateciliumadvanced-
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/privatedns1/kubernetes.tf
View File

@ -625,7 +625,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatedns1-example-co
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/privatedns2/kubernetes.tf
View File

@ -533,7 +533,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatedns2-example-co
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/privateflannel/kubernetes.tf
View File

@ -542,7 +542,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privateflannel-example
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/privatekopeio/kubernetes.tf
View File

@ -548,7 +548,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatekopeio-example-
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/privateweave/kubernetes.tf
View File

@ -565,7 +565,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privateweave-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/public-jwks-apiserver/kubernetes.tf
View File

@ -438,7 +438,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/shared_subnet/kubernetes.tf
View File

@ -324,7 +324,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-sharedsubnet-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/shared_vpc/kubernetes.tf
View File

@ -324,7 +324,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-sharedvpc-example-com"
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/shared_vpc_ipv6/kubernetes.tf
View File

@ -378,7 +378,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-ipv6-example-c
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "enabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/unmanaged/kubernetes.tf
View File

@ -524,7 +524,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-unmanaged-example-com"
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

2
tests/integration/update_cluster/vfs-said/kubernetes.tf
View File

@ -354,7 +354,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" {
metadata_options {
http_endpoint = "enabled"
http_protocol_ipv6 = "disabled"
http_put_response_hop_limit = 1
http_put_response_hop_limit = 3
http_tokens = "optional"
}
monitoring {

52
upup/pkg/fi/cloudup/new_cluster.go
View File

@ -878,14 +878,16 @@ func setupControlPlane(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubne
g.Spec.Zones = []string{zone}
}
if cloudProvider == api.CloudProviderAWS {
g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
HTTPPutResponseHopLimit: fi.PtrTo(int64(3)),
HTTPTokens: fi.PtrTo("required"),
if cluster.IsKubernetesLT("1.27") {
if cloudProvider == api.CloudProviderAWS {
g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
HTTPPutResponseHopLimit: fi.PtrTo(int64(3)),
HTTPTokens: fi.PtrTo("required"),
}
}
if cluster.IsKubernetesGTE("1.26") && fi.ValueOf(cluster.Spec.IAM.UseServiceAccountExternalPermissions) {
g.Spec.InstanceMetadata.HTTPPutResponseHopLimit = fi.PtrTo(int64(1))
}
}
if cluster.IsKubernetesGTE("1.26") && fi.ValueOf(cluster.Spec.IAM.UseServiceAccountExternalPermissions) {
g.Spec.InstanceMetadata.HTTPPutResponseHopLimit = fi.PtrTo(int64(1))
}
g.Spec.MachineType = opt.ControlPlaneSize
@ -1007,10 +1009,12 @@ func setupNodes(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetMap ma
g.Spec.Zones = []string{zone}
}
if cloudProvider == api.CloudProviderAWS {
g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
HTTPTokens: fi.PtrTo("required"),
if cluster.IsKubernetesLT("1.27") {
if cloudProvider == api.CloudProviderAWS {
g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
HTTPTokens: fi.PtrTo("required"),
}
}
}
@ -1029,9 +1033,11 @@ func setupKarpenterNodes(opt *NewClusterOptions, cluster *api.Cluster, zoneToSub
g.Spec.Manager = api.InstanceManagerKarpenter
g.ObjectMeta.Name = "nodes"
g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
HTTPTokens: fi.PtrTo("required"),
if cluster.IsKubernetesLT("1.27") {
g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
HTTPTokens: fi.PtrTo("required"),
}
}
return []*api.InstanceGroup{g}, nil
@ -1074,10 +1080,12 @@ func setupAPIServers(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetM
g.Spec.Zones = []string{zone}
}
if cloudProvider == api.CloudProviderAWS {
g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
HTTPTokens: fi.PtrTo("required"),
if cluster.IsKubernetesLT("1.27") {
if cloudProvider == api.CloudProviderAWS {
g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
HTTPTokens: fi.PtrTo("required"),
}
}
}
@ -1276,9 +1284,11 @@ func setupTopology(opt *NewClusterOptions, cluster *api.Cluster, allZones sets.S
bastionGroup.Spec.Zones = allZones.List()
}
bastionGroup.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
HTTPTokens: fi.PtrTo("required"),
if cluster.IsKubernetesLT("1.27") {
bastionGroup.Spec.InstanceMetadata = &api.InstanceMetadataOptions{
HTTPPutResponseHopLimit: fi.PtrTo(int64(1)),
HTTPTokens: fi.PtrTo("required"),
}
}
bastionGroup.Spec.Image = opt.BastionImage