Open agray-ctm opened 1 month ago
This issue is currently awaiting triage.
If Karpenter contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
Description
Observed Behavior: My team uses the terraform-aws-modules/eks module to create our baseload nodes where we run Karpenter. As expected, these default to a hop limit of 2, thus allowing pods to access the IMDSv2 service.
AWS EKS - See metadata_options
However, Karpenter EC2NodeClass defaults to a hop limit of 1, disabling access as specified in: Disable IMDSv2
Karpenter - spec.metadata_options.httpPutResponseHopLimit
While I understand that from a security standpoint it makes sense to disable IMDSv2, I do not agree that this is a sensible default.
My team upgraded from AL2 to AL2023, knowing that our EKS module would set hop limit to 2, but then our entire dev environment went down because this default on Karpenter prevented kubernetes-sigs/aws-load-balancer-controller pods from getting the VPC-ID (was not explicitly provided).
Expected Behavior: Default hop limit is 2, inline with the terraform-aws-modules default, thus allowing IMDSv2 traffic.
I do not think that Karpenter should be the one to make the call to disable this feature provided by AWS.
Reproduction Steps (Please include YAML): Fail to override the
spec.metadataOptions.httpPutResponseHopLimit
default.Versions:
Chart Version: 1.0.6
Kubernetes Version: 1.28
OS: AL2023 (IMDSv1 disabled)
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment