Prevent unexpected privileges escalation

cloudposse / terraform-aws-eks-node-group

Terraform module to provision a fully managed AWS EKS Node Group

https://cloudposse.com/accelerate

Apache License 2.0

91 stars 128 forks source link

Prevent unexpected privileges escalation #136

Closed gillg closed 1 year ago

gillg commented 1 year ago

what

The current variable input_metadata_http_put_response_hop_limit condition, prevent to protect users of this module, to be protected against privileges escalation. The first intent of IMDSv2 is to prevent containers beeing able to assume an EC2 instance profile. It's not a bad idea at all to prevent that. The good practice then is to use the module cloudposse/eks-iam-role/aws to create a kubernetes service account mapped with IAM permissions throug an OIDC IdP.

references

https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node

gillg commented 1 year ago

Does anyone can take a look ? randomly @Gowiem

max-lobur commented 1 year ago

Makes sense, thanks for this. I think we will change default too, but will check regression first

gillg commented 1 year ago

Makes sense, thanks for this. I think we will change default too, but will check regression first

Fine to me, but be careful with the default... ^^ A lot of people will have unexpected permissions not working anymore. It's a breaking change.

max-lobur commented 1 year ago

/test all

max-lobur commented 1 year ago

Both failures unrelated, I will fix in separate PR