Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default EC2NodeClass Hop Limit Breaks IMDSv2 #1769

Open
agray-ctm opened this issue Oct 23, 2024 · 1 comment
Open

Default EC2NodeClass Hop Limit Breaks IMDSv2 #1769

agray-ctm opened this issue Oct 23, 2024 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@agray-ctm
Copy link

agray-ctm commented Oct 23, 2024
edited
Loading

Description

Observed Behavior:
My team uses the terraform-aws-modules/eks module to create our baseload nodes where we run Karpenter. As expected, these default to a hop limit of 2, thus allowing pods to access the IMDSv2 service.

AWS EKS - See metadata_options

However, Karpenter EC2NodeClass defaults to a hop limit of 1, disabling access as specified in: Disable IMDSv2

Karpenter - spec.metadata_options.httpPutResponseHopLimit

While I understand that from a security standpoint it makes sense to disable IMDSv2, I do not agree that this is a sensible default.

My team upgraded from AL2 to AL2023, knowing that our EKS module would set hop limit to 2, but then our entire dev environment went down because this default on Karpenter prevented kubernetes-sigs/aws-load-balancer-controller pods from getting the VPC-ID (was not explicitly provided).

Expected Behavior:
Default hop limit is 2, inline with the terraform-aws-modules default, thus allowing IMDSv2 traffic.

I do not think that Karpenter should be the one to make the call to disable this feature provided by AWS.

Reproduction Steps (Please include YAML):
Fail to override the spec.metadataOptions.httpPutResponseHopLimit default.

Versions:

  • Chart Version: 1.0.6
  • Kubernetes Version: 1.28
  • OS: AL2023 (IMDSv1 disabled)
  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@agray-ctm agray-ctm added the kind/bug Categorizes issue or PR as related to a bug. label Oct 23, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Oct 23, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Karpenter contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@k8s-ci-robot @agray-ctm