Kops: Allow using AWS Instance Metadata Service Version 2 (IMDSv2) in InstanceGroups

Created on 18 Sep 2020  路  8Comments  路  Source: kubernetes/kops

1. Describe IN DETAIL the feature/behavior/change you would like to see.

In AWS EC2 instances there is an Instance Metadata Service with Version 1 and Version 2
(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).

You can enforce usage of IMDSv2 (=disallow v1) setting "HttpTokens" to "required". Or you can turn off IMDS by setting "HttpEndpoint" to "disable".

AWS Foundational Security Best Practices v1.0.0 requires usage of IMDSv2 only with a severity of HIGH (see remediation instructions: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#ec2-8-remediation)

For compliance and security reasons it should be possible to change this setting for an instancegroup (like "httpTokens: required" or something like that.

good first issue hacktoberfest
Source
picture MichaelJDrK
👍5

Most helpful comment

I think this would be pretty straight forward to add. The main decision would be around the new API fields and their names. AWS, GCP, and Alibaba cloud use the term instance metadata, DO uses droplet metadata and Openstack seems to just use metadata. I think we could settle on instanceMetadata as a new section in the InstanceGroupSpec. I didn't want to just use metadata because it could be confused with the cluster resource's metadata itself.

spec:
  instanceMetadata:
    httpPutResponseHopLimit: 1
    httpTokens: required

Some kops and k8s components require access to instance metadata, so I don't think we should support disabling it altogether but we could definitely support requiring IMDSv2 (httpTokens = required) and adjusting the hop limit.

I think adding this would be pretty straight forward and roughly follow the docs we have.

  • API + validation updates. If the new values are set:

    • Ensure we're on AWS

    • Ensure the LaunchTemplates feature flag isn't disabled which would fallback to launch configurations which don't support IMDSv2.

  • Add the new fields to the LaunchTemplate task and pass it into the aws api call

  • Add terraform and cloudformation support to include the new fields in their types

  • Plumb the values from the API into the LT tasks in the model.

  • Update the complex integration test to use the new fields and run ./hack/updated-expected.sh to confirm the new values end up in the terraform and cloudformation outputs.

I'm happy to provide more assistance if anyone wants to take this on 馃憤

picture rifelpet on 5 Oct 2020
👍3

All 8 comments

I think this would be pretty straight forward to add. The main decision would be around the new API fields and their names. AWS, GCP, and Alibaba cloud use the term instance metadata, DO uses droplet metadata and Openstack seems to just use metadata. I think we could settle on instanceMetadata as a new section in the InstanceGroupSpec. I didn't want to just use metadata because it could be confused with the cluster resource's metadata itself.

spec:
  instanceMetadata:
    httpPutResponseHopLimit: 1
    httpTokens: required

Some kops and k8s components require access to instance metadata, so I don't think we should support disabling it altogether but we could definitely support requiring IMDSv2 (httpTokens = required) and adjusting the hop limit.

I think adding this would be pretty straight forward and roughly follow the docs we have.

  • API + validation updates. If the new values are set:

    • Ensure we're on AWS

    • Ensure the LaunchTemplates feature flag isn't disabled which would fallback to launch configurations which don't support IMDSv2.

  • Add the new fields to the LaunchTemplate task and pass it into the aws api call

  • Add terraform and cloudformation support to include the new fields in their types

  • Plumb the values from the API into the LT tasks in the model.

  • Update the complex integration test to use the new fields and run ./hack/updated-expected.sh to confirm the new values end up in the terraform and cloudformation outputs.

I'm happy to provide more assistance if anyone wants to take this on 馃憤

rifelpet picture rifelpet on 5 Oct 2020
👍3

Hi @rifelpet I would like to take this issue. Could you assign it to me?

ivanlemeshev picture ivanlemeshev on 7 Oct 2020

/assign @ivanlemeshev

rifelpet picture rifelpet on 7 Oct 2020

@ivanlemeshev do you need any assistance with this? Just checking in

rifelpet picture rifelpet on 14 Oct 2020
👍2

@rifelpet Would love to work on this if @ivanlemeshev is not actively working on this issue. Getting into the kops codebase nowadays :)

bharath-123 picture bharath-123 on 15 Nov 2020

@bharath-123 feel free to open a PR

rifelpet picture rifelpet on 16 Nov 2020

@rifelpet I see that launch configurations are able to support only IMDSv2. I am able to create a launch configuration in aws manually with only IMDSv2 enabled. I do think Launch configurations support IMDSv2?

bharath-123 picture bharath-123 on 21 Nov 2020

Ah, I did not know that. We are moving away from LaunchConfigurations though- 1.19 will default to LaunchTemplates and a few minor releases after that I expect us to drop support for LaunchConfigurations, so I think only implementing this for LTs would be fine.

rifelpet picture rifelpet on 21 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

RXminuS picture RXminuS  路  5Comments
joshbranham picture joshbranham  路  3Comments
mikejoh picture mikejoh  路  3Comments
DocValerian picture DocValerian  路  4Comments
lnformer picture lnformer  路  3Comments