:bug: Remove remote address header when any IMDSv2 tokens are used

jtblin / kube2iam

kube2iam provides different AWS IAM roles for pods running on Kubernetes

BSD 3-Clause "New" or "Revised" License

1.97k stars 318 forks source link

:bug: Remove remote address header when any IMDSv2 tokens are used #279

Closed jhuntwork closed 3 years ago

jhuntwork commented 3 years ago

Even after #270 we have experienced 403s from the metadata service while using the AWS VPC CNI with any pods not using host networking. This indicated that while the PUT requests for tokens were now working correctly, the subsequent GET requests still had the X-Forwarded-For header which AWS rejects with a 403.

coveralls commented 3 years ago

Coverage remained the same at 19.481% when pulling bd376a1ae7c507c8f883d8285d09213d0f461cef on o11n:imdsv2 into ccdaac8d59e95a64b67ae055b4b963386c32fad8 on jtblin:master.

mwhittington21 commented 3 years ago

Thanks for the fix!