Open tobiscr opened 6 months ago
Impacts default configuration of worker pools - see also #46
Relevant fragment
The
instanceMetadataOptions
controls access to the instance metadata service (IMDS) for members of the worker. You can do the following operations:
- access IMDSv1 (default)
- access IMDSv2 -
httpPutResponseHopLimit >= 2
- access IMDSv2 only (restrict access to IMDSv1) -
httpPutResponseHopLimit >=2
,httpTokens = "required"
- disable access to IMDS -
httpTokens = "required"
Note: The accessibility of IMDS discussed in the previous point is referenced from the point of view of containers NOT running in the host network. By default on host network IMDSv2 is already enabled (but not accessible from inside the pods). It is currently not possible to create a VM with complete restriction to the IMDS service. It is however possible to restrict access from inside the pods by setting
httpTokens
torequired
and not settinghttpPutResponseHopLimit
(or setting it to 1). You can find more information regarding the options in the AWS documentation.
Notes from today's alignment with @tobiscr and @ebensom At the end, we need to make sure that those two fields:
httpPutResponseHopLimit >=2
httpTokens = "required"
will be configured for AWS for new clusters using a feature flag. SRE is willing to raise a PR with that change which @kyma-project/framefrog should review. Later, SRE will ensure that all shoots are upgraded to use those new values.
Fix for provisioner was created by @ebensom : https://github.com/kyma-project/control-plane/commit/ea75326a0e2f1108f4297dd04b8090cd75266898
Description
To increase the overall security of our AWS clusters, the default configuration in Gardener should be adjusted to use IMDS2 as default.
Currently, new worker pools are created having IMDS1 enabled (this is the default if not explicit configuration is provided). We have to adjust the shoot-spec for Gardener to use IMDS2 per default.
AC: