Closed wyike closed 1 year ago
This issue is currently awaiting triage.
If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
/assign
This wasn't fixed yet, right?
This wasn't fixed yet, right?
I think it's more like a feature enhancement :)
Yes, what I meant to say is that if it is done or not... :D
ah, SORRY...my eyes 😵... I'll submit the commit.
/kind feature
Describe the solution you'd like [A clear and concise description of what you want to happen.]
Regarding https://github.com/kubernetes-sigs/cluster-api-provider-aws/pull/4037 support, I would propose to set the default HTTPPutResponseHopLimit to 2 in container environment.
When customers is using instance profile role instead of using base64 aws credentials (very typical usage in production env), capa container needs 2 hops to retrieve aws credentials from metadata service. If default hop limit is 1, capa fails to get credentials and fail at the first with:
If we set HTTPPutResponseHopLimit to 2 as default, it will avoid capa failure and other applications that needs to access AWS. Otherwise we need customers to set the awsmachine template explicitly:
They are very likely to forget or not aware of this knowledge and get a failed env.
Another benefit is customers don't need to change awsmachinetemplate very often due to the HopLimit issue in production env , which as we known, is immutable and it is a burden to update to a new machinetemplate.
I also see HTTPPutResponseHopLimit to 2 is recommended in container environment: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#imds-considerations
https://aws.amazon.com/about-aws/whats-new/2020/08/amazon-eks-supports-ec2-instance-metadata-service-v2/
Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]
Environment:
kubectl version
):/etc/os-release
):