Default EC2NodeClass Hop Limit Breaks IMDSv2

Description

Observed Behavior: My team uses the terraform-aws-modules/eks module to create our baseload nodes where we run Karpenter. As expected, these default to a hop limit of 2, thus allowing pods to access the IMDSv2 service.

AWS EKS - See metadata_options

However, Karpenter EC2NodeClass defaults to a hop limit of 1, disabling access as specified in: Disable IMDSv2

Karpenter - spec.metadata_options.httpPutResponseHopLimit

While I understand that from a security standpoint it makes sense to disable IMDSv2, I do not agree that this is a sensible default.

My team upgraded from AL2 to AL2023, knowing that our EKS module would set hop limit to 2, but then our entire dev environment went down because this default on Karpenter prevented kubernetes-sigs/aws-load-balancer-controller pods from getting the VPC-ID (was not explicitly provided).

Expected Behavior: Default hop limit is 2, inline with the terraform-aws-modules default, thus allowing IMDSv2 traffic.

I do not think that Karpenter should be the one to make the call to disable this feature provided by AWS.

Reproduction Steps (Please include YAML): Fail to override the spec.metadataOptions.httpPutResponseHopLimit default.

Versions:

Chart Version: 1.0.6
Kubernetes Version: 1.28
OS: AL2023 (IMDSv1 disabled)
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

kubernetes-sigs / karpenter

Default EC2NodeClass Hop Limit Breaks IMDSv2 #1769

Description