search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.5k stars 3.85k forks source link

eks: support for blocking node-level instance metadata #31124

Open trondhindenes opened 4 weeks ago

trondhindenes commented 4 weeks ago

Describe the feature

According to https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node, its strongly recommended to disallow pods accessing the node's instance metadata.

Since this is a strong recommendation, it's troubling that cdk-eks doesn't support this for managed node groups. The only way I can see it possible to do this today, is by specifying a full node template, which kindof defeats the purpose of manage node groups.

Use Case

To follow AWS' best practices

Proposed Solution

Allow supplying an optional "metadata options" object to the node group.

Other Information

No response

Acknowledgements

CDK version used

2.151.0

Environment details (OS name and version, etc.)

Ubuntu 24

pahud commented 4 weeks ago

Thank you for bringing this to our attention. Except for baking your own launchTemplate for MNG, I didn't see any option out-of-the-box for that in cloudformation. But I noticed this:

EKS adds support IMDSv2 by enabling both v1 and v2 and changing the hop limit to 2 on nodes provisioned by eksctl or with the official CloudFormation templates.

I will reach out internally to see what we can do from CFN's perspective and improve CDK accordingly.

pahud commented 4 weeks ago

internal tracking: V1486188294

pahud commented 4 weeks ago

OK I tried to create a default nodegroup using the code like this:


    new eks.Cluster(this, 'dummy-eks-cluster', {
      clusterName: 'dummy-eks-cluster',
      vpc,
      version: eks.KubernetesVersion.V1_30,
      kubectlLayer: new KubectlV30Layer(this, 'kubectl'),
      defaultCapacity: 1,
    } )

And checked the launchTemplate the manage nodegroup is associated with.

I see this:

image

So I am pretty sure:

  1. the default token hop limit would be 2
  2. there's no props like metadataOptions in AWS::EKS::Nodegroup to allow you to customize that in CFN so CDK won't be able to do that as well.
  3. setting the hop limit to 2 should be generally recommended for compatibility as described here but in some cases if you really have to set it to 1, you need to bake your own launchTemplate and pass it to the manage nodegroup.
  4. If you would like to have AWS::EKS::Nodegroup to include the metadataOptions property, the best place is to submit a FR at https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues

Let me know if you have any other concerns.

github-actions[bot] commented 3 weeks ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

trondhindenes commented 3 weeks ago

Thanks for checking up on this. The guidance in the eks-best-practices docs are a bit counter-intuitive for me, since it recommends both "1" and "2" as topen-hop limits - its not clear to me when we'd need to set the limit to 2 and when it should be lowered to 1. But that's not CDK's fault. Thanks for checking up on this anyway!