From f490b27e398cd61de23a1f2890b42a4d5109bf13 Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Mon, 26 Dec 2022 07:01:57 +0200 Subject: [PATCH] Update IMDSv2 docs --- docs/instance_groups.md | 12 ++++++++++-- docs/releases/1.27-NOTES.md | 2 ++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/docs/instance_groups.md b/docs/instance_groups.md index e47e2fa1b8..fb4e1cd683 100644 --- a/docs/instance_groups.md +++ b/docs/instance_groups.md @@ -47,9 +47,9 @@ spec: ## instanceMetadata -By default IMDSv2 are enabled as of kOps 1.22 on new clusters using Kubernetes 1.22. The default hop limit is 3 on control plane nodes, and 1 on other roles. +By default, IMDSv2 is enabled for newly created clusters. The default hop limit is 1 for all node roles, except for control plane nodes with Kubernetes version lower than 1.26 or IRSA disabled, for which the default hop limit is 3. As of Kubernetes 1.27, these defaults are applied to existing clusters also. -On other versions, you can enable IMDSv2 like this: +To enable IMDSv2 add the following configuration to the instance group: ```YAML spec: @@ -58,6 +58,14 @@ spec: httpTokens: required ``` +To disable IMDSv2 add the following configuration to the instance group: + +```YAML +spec: + instanceMetadata: + httpTokens: optional +``` + ## externalLoadBalancers Instance groups can be linked to up to 10 load balancers. When attached, any instance launched will diff --git a/docs/releases/1.27-NOTES.md b/docs/releases/1.27-NOTES.md index 668afc1d87..859b306b97 100644 --- a/docs/releases/1.27-NOTES.md +++ b/docs/releases/1.27-NOTES.md @@ -8,6 +8,8 @@ This is a document to gather the release notes prior to the release. ## AWS +* As of Kubernetes version 1.27, all nodes will default to running with the instance metadata service enabled, with max hop limit of 1. Control plane nodes with IRSA disabled will default to running with a max hop limit of 3. + ## GCP # Breaking changes