kube2iam
kube2iam copied to clipboard
jtblin
kube2iam:2.6.0 not working with metadata version v2
Hi @jtblin I am using kube2iam-2.6.0 with EKS version 1.17+ when i deploy the kube2iam pod it goes in crashloopbackoff with the error as time="2021-02-10T08:04:19Z" level=fatal msg="EC2 Metadata is not available, are you running on EC2?" . Whereas the ec2 instance seems to be running . Do i need to change anything in setup i have also added the following in instance user data
TOKEN=curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ami-id
Have you set up the iptable rules as per the README?
On Wed, 10 Feb 2021, 7:08 pm Aman Seth, [email protected] wrote:
Hi @jtblin https://github.com/jtblin I am using kube2iam-2.6.0 with EKS version 1.17+ when i deploy the kube2iam pod it goes in crashloopbackoff with the error as time="2021-02-10T08:04:19Z" level=fatal msg="EC2 Metadata is not available, are you running on EC2?" . Whereas the ec2 instance seems to be running . Do i need to change anything in setup i have also added the following in instance user data
TOKEN=curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ami-id
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jtblin/kube2iam/issues/300, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKTDLT2744JKW5OZRYMGA3S6I5GXANCNFSM4XMPMO5Q .
@AS011 Are your worker nodes set to require meta data http tokens ? If so, I believe kube2iam is only compatible with IMDSv1.
Hi David,
Thanks for response:
my production upgrade is blocked due to this. Have a couple clarifications.
1- How would I know if my worker nodes are set to require meta http data tokens?
2- why will IMDSv1 matter to me because I already have kube2iam working with 10.1 version and that shows no such Connect errors. Or are you saying this version of kube2iam that I am upgrading to which is 10.11 by defaults enable imdsv2? If yes how could get around and what are my options if I want to use imdsv2
Ahmed F
On Aug 19, 2021, at 5:28 AM, David Bower @.***> wrote:
@AS011 Are your worker nodes set to require meta data http tokens ? If so, I believe kube2iam is only compatible with IMDSv1.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.
Hi @jtblin .. We have just disabled IMDSv1 on our worker nodes and we face the same issue with kube2iam. Are you looking to fix this as it appears the fix may already exist in #325 . Any update will be greatly appreciated.
I will echo the precious commenters... is there some testing/confirmation that would be useful here?
This seems to be an issue especially when using it in combination with Karpenter (https://karpenter.sh/v0.24.0/concepts/node-templates/#specmetadataoptions) -> httpTokens: required. Only works when removing the default value:
metadataOptions:
httpPutResponseHopLimit: 2
I use EKS by using eksctl.
I solve this error by setting disableIMDSv1: false option on yaml.
I hope kube2iam supports IMDSv2.
# yaml (https://eksctl.io/usage/schema/#)
managedNodeGroups:
- name: ~~~
...
disableIMDSv1: false # Use IMDSv1 instead of IMDSv2
Thanks @Alien2150. Adding the exact option value that fixed the kube2iam issue for Karpenter nodes.
apiVersion: karpenter.k8s.aws/v1beta1
kind: EC2NodeClass
metadata:
name: xxxxxxxx
namespace: xxxxxxx
spec:
metadataOptions:
httpTokens: optional
