[Question]: When will new `spilo` image be released with Patroni 3.0.2 that supports AWS IMDSv2?

[xdvpser]

Just wanted to know when will new spilo image be released with Patroni 3.0.2 that supports AWS IMDSv2, before building and maintaining our custom image.

[hughcapet]

Actually, the problem with IMDSv2 support is not in Patroni 3.0.2 not being included into the release Spilo version but rather the Spilo scripts using boto instead of boto3 (=using IMDSv1). There is still a task to refactor the scripts

[xdvpser]

@hughcapet Thank you for clarification! Could you please share what is the progress of this task or any link to the details? I couldn't find it in GitHub issues.

As for why do we need it: Kiam has a feature that allows to restrict access to EC2 instance metadata endpoints, so that IMDSv1 is not a security risk. But since it is in maintenance mode and IRSA (alternative to which everyone is migrating) do not have such feature, all metadata endpoints are open to anyone who has access to the shell in the pod. It is an important security problem. So, for now we are stuck with Kiam and cannot upgrade our k8s cluster to newer versions as Kiam does not support them. I would appreciate if this task would be given a higher priority and released with next Spilo version.

[hughcapet]

Thank you for sharing the details Unfortunately, it is not our top priority now and we are not likely to provide this refactoring in the near future.