kube2iam:2.6.0 not working with metadata version v2

jtblin / kube2iam

kube2iam provides different AWS IAM roles for pods running on Kubernetes

BSD 3-Clause "New" or "Revised" License

1.97k stars 318 forks source link

kube2iam:2.6.0 not working with metadata version v2 #300

Open AS011 opened 3 years ago

AS011 commented 3 years ago

Hi @jtblin I am using kube2iam-2.6.0 with EKS version 1.17+ when i deploy the kube2iam pod it goes in crashloopbackoff with the error as time="2021-02-10T08:04:19Z" level=fatal msg="EC2 Metadata is not available, are you running on EC2?" . Whereas the ec2 instance seems to be running . Do i need to change anything in setup i have also added the following in instance user data

TOKEN=curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \ && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ami-id

jtblin commented 3 years ago

Have you set up the iptable rules as per the README?

On Wed, 10 Feb 2021, 7:08 pm Aman Seth, notifications@github.com wrote:

Hi @jtblin https://github.com/jtblin I am using kube2iam-2.6.0 with EKS version 1.17+ when i deploy the kube2iam pod it goes in crashloopbackoff with the error as time="2021-02-10T08:04:19Z" level=fatal msg="EC2 Metadata is not available, are you running on EC2?" . Whereas the ec2 instance seems to be running . Do i need to change anything in setup i have also added the following in instance user data

TOKEN=curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ami-id

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jtblin/kube2iam/issues/300, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKTDLT2744JKW5OZRYMGA3S6I5GXANCNFSM4XMPMO5Q .

kkapoor1987 commented 3 years ago

@jtblin Even with --iptables=true we still see the same error msg

saithejareddy commented 3 years ago

@jtblin We are also facing the same issue with kube2iam:2.6.0.

saithejareddy commented 3 years ago

Any update here? @jtblin

dmbower commented 2 years ago

@AS011 Are your worker nodes set to require meta data http tokens ? If so, I believe kube2iam is only compatible with IMDSv1.

ahmsb8884 commented 2 years ago

Hi David,

Thanks for response:

my production upgrade is blocked due to this. Have a couple clarifications.

1- How would I know if my worker nodes are set to require meta http data tokens?

2- why will IMDSv1 matter to me because I already have kube2iam working with 10.1 version and that shows no such Connect errors. Or are you saying this version of kube2iam that I am upgrading to which is 10.11 by defaults enable imdsv2? If yes how could get around and what are my options if I want to use imdsv2

Ahmed F

On Aug 19, 2021, at 5:28 AM, David Bower @.***> wrote:

@AS011 Are your worker nodes set to require meta data http tokens ? If so, I believe kube2iam is only compatible with IMDSv1.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

cmsmith7 commented 2 years ago

Hi @jtblin .. We have just disabled IMDSv1 on our worker nodes and we face the same issue with kube2iam. Are you looking to fix this as it appears the fix may already exist in #325 . Any update will be greatly appreciated.

NeunJa commented 2 years ago

Hi @jtblin .. Any updates of it? Issue still exists.

razorsk8jz commented 2 years ago

Can we please get this pushed facing same issue

copeia commented 2 years ago

Also facing this issue - any timeline on this PR?

jgdef-tulip commented 2 years ago

I will echo the precious commenters... is there some testing/confirmation that would be useful here?

mozz-lx commented 2 years ago

@jtblin can we have this PR merged?

Alien2150 commented 1 year ago

This seems to be an issue especially when using it in combination with Karpenter (https://karpenter.sh/v0.24.0/concepts/node-templates/#specmetadataoptions) -> httpTokens: required. Only works when removing the default value:

metadataOptions:
  httpPutResponseHopLimit: 2

hanamurayuki commented 10 months ago

I use EKS by using eksctl. I solve this error by setting disableIMDSv1: false option on yaml. I hope kube2iam supports IMDSv2.

# yaml (https://eksctl.io/usage/schema/#)
managedNodeGroups:
  - name: ~~~
    ...
    disableIMDSv1: false # Use IMDSv1 instead of IMDSv2

pradeepnnv commented 6 months ago

Thanks @Alien2150. Adding the exact option value that fixed the kube2iam issue for Karpenter nodes.

apiVersion: karpenter.k8s.aws/v1beta1
kind: EC2NodeClass
metadata:
  name: xxxxxxxx
  namespace: xxxxxxx
spec:
  metadataOptions:
    httpTokens: optional