imdsv2-configuration (#594)

* imdsv2-configuration
giantswarm · Apr 24, 2024 · bbe91e2 · bbe91e2
1 parent 6e85f84
commit bbe91e2
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add option to configure instance metadata http tokens for EC2 instances to enable or disable IMDSv2 enforcement.
+
 ## [0.71.0] - 2024-04-16
 
 ### Changed

diff --git a/helm/cluster-aws/README.md b/helm/cluster-aws/README.md
@@ -22,6 +22,8 @@ Properties within the `.global.providerSpecific` object
 | `global.providerSpecific.ami` | **Amazon machine image (AMI)** - If specified, this image will be used to provision EC2 instances.|**Type:** `string`<br/>|
 | `global.providerSpecific.awsClusterRoleIdentityName` | **Cluster role identity name** - Name of an AWSClusterRoleIdentity object. Learn more at https://docs.giantswarm.io/getting-started/cloud-provider-accounts/cluster-api/aws/#configure-the-awsclusterroleidentity .|**Type:** `string`<br/>**Value pattern:** `^[-a-zA-Z0-9_\.]{1,63}$`<br/>**Default:** `"default"`|
 | `global.providerSpecific.flatcarAwsAccount` | **AWS account owning Flatcar image** - AWS account ID owning the Flatcar Container Linux AMI.|**Type:** `string`<br/>**Default:** `"706635527432"`|
+| `global.providerSpecific.instanceMetadataOptions` | **Instance metadata options** - Instance metadata options for the EC2 instances in the cluster.|**Type:** `object`<br/>|
+| `global.providerSpecific.instanceMetadataOptions.httpTokens` | **HTTP tokens** - The state of token usage for your instance metadata requests. If you set this parameter to `optional`, you can use either IMDSv1 or IMDSv2. If you set this parameter to `required`, you must use a IMDSv2 to access the instance metadata endpoint. Learn more at [What’s new in IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).|**Type:** `string`<br/>**Default:** `"required"`|
 | `global.providerSpecific.osImageVariant` | **OS image variant**|**Type:** `string`<br/>**Default:** `"3"`|
 | `global.providerSpecific.region` | **Region**|**Type:** `string`<br/>|
 

diff --git a/helm/cluster-aws/templates/_control_plane.tpl b/helm/cluster-aws/templates/_control_plane.tpl
@@ -28,6 +28,9 @@ iamInstanceProfile: control-plane-{{ include "resource.default.name" $ }}
 additionalSecurityGroups:
 {{- toYaml .Values.global.controlPlane.additionalSecurityGroups | nindent 2 }}
 {{- end }}
+instanceMetadataOptions:
+  httpPutResponseHopLimit: 3
+  httpTokens: {{ .Values.global.providerSpecific.instanceMetadataOptions.httpTokens | quote }}
 sshKeyName: ""
 subnet:
   filters:

diff --git a/helm/cluster-aws/templates/_machine_pools.tpl b/helm/cluster-aws/templates/_machine_pools.tpl
@@ -48,6 +48,9 @@ spec:
     spotMarketOptions:
       maxPrice: {{ $value.spotInstances.maxPrice | quote }}
     {{- end }}
+    instanceMetadataOptions:
+      httpPutResponseHopLimit: 3
+      httpTokens: {{ $.Values.global.providerSpecific.instanceMetadataOptions.httpTokens | quote }}
   minSize: {{ $value.minSize | default 1 }}
   maxSize: {{ $value.maxSize | default 3 }}
   {{- if or (not $value.spotInstances) (not $value.spotInstances.enabled) }}

diff --git a/helm/cluster-aws/values.schema.json b/helm/cluster-aws/values.schema.json
@@ -1158,6 +1158,23 @@
                             "description": "AWS account ID owning the Flatcar Container Linux AMI.",
                             "default": "706635527432"
                         },
+                        "instanceMetadataOptions": {
+                            "type": "object",
+                            "title": "Instance metadata options",
+                            "description": "Instance metadata options for the EC2 instances in the cluster.",
+                            "properties": {
+                                "httpTokens": {
+                                    "type": "string",
+                                    "title": "HTTP tokens",
+                                    "description": "The state of token usage for your instance metadata requests. If you set this parameter to `optional`, you can use either IMDSv1 or IMDSv2. If you set this parameter to `required`, you must use a IMDSv2 to access the instance metadata endpoint. Learn more at [What’s new in IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).",
+                                    "enum": [
+                                        "optional",
+                                        "required"
+                                    ],
+                                    "default": "required"
+                                }
+                            }
+                        },
                         "osImageVariant": {
                             "type": "string",
                             "title": "OS image variant",

diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml
@@ -223,6 +223,8 @@ global:
   providerSpecific:
     awsClusterRoleIdentityName: default
     flatcarAwsAccount: "706635527432"
+    instanceMetadataOptions:
+      httpTokens: required
     osImageVariant: "3"
 internal:
   migration: {}