cluster-api-provider-aws Configuration of the EC2 metadata endpoint

trafficstars

/kind feature

Describe the solution you'd like As a user I would like to configure a specific metadata version on each EC2 instance started by CAPI and/or disable the metadata endpoint completely. I would prefer to use the AWSMachineTemplate to disable/enable the metadata endpoint, set the metadata version (e.g. IMDSv2) and set the HttpPutResponseHopLimit.

For example:

apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AWSMachineTemplate
metadata:
  name: test
spec:
  template:
    spec:
     httpEndpointEnabled: true // true or false allowed
     httpTokens: required // required (v2) or optional (v1 or v2) allowed
     httpPutResponseHopLimit: 1 //1-64 allowed

Anything else you would like to add:

IMDSv2 is the second version of the instance metadata service and it uses a session-based approach while v1 uses a request/response method. Because its a security issue to use v1 instead of v2 the AWS Securityhub reports it with a severity of HIGH.

AWS supports it via the EC2 console/AWS CLI for new instances and via the AWS CLI for running instances.
Terraform supports it via the Metadata Options field.

Environment:

Cluster-api-provider-aws version: 1.5.0
Kubernetes version: (use kubectl version): 1.23
OS (e.g. from /etc/os-release): Amazon Linux 2

Sep 23 '22 13:09 aljoshare

From triage:

We should consider moving to v2 globally
And having an option to disable completely

/triage accepted /priority important-soon

Oct 17 '22 16:10 richardcase

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can: