From bbe91e22b44db35b553740ba4ae52288e7db6e84 Mon Sep 17 00:00:00 2001 From: calvix Date: Wed, 24 Apr 2024 11:07:50 +0200 Subject: [PATCH] imdsv2-configuration (#594) * imdsv2-configuration --- CHANGELOG.md | 4 ++++ helm/cluster-aws/README.md | 2 ++ helm/cluster-aws/templates/_control_plane.tpl | 3 +++ helm/cluster-aws/templates/_machine_pools.tpl | 3 +++ helm/cluster-aws/values.schema.json | 17 +++++++++++++++++ helm/cluster-aws/values.yaml | 2 ++ 6 files changed, 31 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 377eaa35..3c5852af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added + +- Add option to configure instance metadata http tokens for EC2 instances to enable or disable IMDSv2 enforcement. + ## [0.71.0] - 2024-04-16 ### Changed diff --git a/helm/cluster-aws/README.md b/helm/cluster-aws/README.md index b28745e5..458ec221 100644 --- a/helm/cluster-aws/README.md +++ b/helm/cluster-aws/README.md @@ -22,6 +22,8 @@ Properties within the `.global.providerSpecific` object | `global.providerSpecific.ami` | **Amazon machine image (AMI)** - If specified, this image will be used to provision EC2 instances.|**Type:** `string`
| | `global.providerSpecific.awsClusterRoleIdentityName` | **Cluster role identity name** - Name of an AWSClusterRoleIdentity object. Learn more at https://docs.giantswarm.io/getting-started/cloud-provider-accounts/cluster-api/aws/#configure-the-awsclusterroleidentity .|**Type:** `string`
**Value pattern:** `^[-a-zA-Z0-9_\.]{1,63}$`
**Default:** `"default"`| | `global.providerSpecific.flatcarAwsAccount` | **AWS account owning Flatcar image** - AWS account ID owning the Flatcar Container Linux AMI.|**Type:** `string`
**Default:** `"706635527432"`| +| `global.providerSpecific.instanceMetadataOptions` | **Instance metadata options** - Instance metadata options for the EC2 instances in the cluster.|**Type:** `object`
| +| `global.providerSpecific.instanceMetadataOptions.httpTokens` | **HTTP tokens** - The state of token usage for your instance metadata requests. If you set this parameter to `optional`, you can use either IMDSv1 or IMDSv2. If you set this parameter to `required`, you must use a IMDSv2 to access the instance metadata endpoint. Learn more at [What’s new in IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).|**Type:** `string`
**Default:** `"required"`| | `global.providerSpecific.osImageVariant` | **OS image variant**|**Type:** `string`
**Default:** `"3"`| | `global.providerSpecific.region` | **Region**|**Type:** `string`
| diff --git a/helm/cluster-aws/templates/_control_plane.tpl b/helm/cluster-aws/templates/_control_plane.tpl index 3f4b676a..1368e24f 100644 --- a/helm/cluster-aws/templates/_control_plane.tpl +++ b/helm/cluster-aws/templates/_control_plane.tpl @@ -28,6 +28,9 @@ iamInstanceProfile: control-plane-{{ include "resource.default.name" $ }} additionalSecurityGroups: {{- toYaml .Values.global.controlPlane.additionalSecurityGroups | nindent 2 }} {{- end }} +instanceMetadataOptions: + httpPutResponseHopLimit: 3 + httpTokens: {{ .Values.global.providerSpecific.instanceMetadataOptions.httpTokens | quote }} sshKeyName: "" subnet: filters: diff --git a/helm/cluster-aws/templates/_machine_pools.tpl b/helm/cluster-aws/templates/_machine_pools.tpl index 005b480e..1ad3db60 100644 --- a/helm/cluster-aws/templates/_machine_pools.tpl +++ b/helm/cluster-aws/templates/_machine_pools.tpl @@ -48,6 +48,9 @@ spec: spotMarketOptions: maxPrice: {{ $value.spotInstances.maxPrice | quote }} {{- end }} + instanceMetadataOptions: + httpPutResponseHopLimit: 3 + httpTokens: {{ $.Values.global.providerSpecific.instanceMetadataOptions.httpTokens | quote }} minSize: {{ $value.minSize | default 1 }} maxSize: {{ $value.maxSize | default 3 }} {{- if or (not $value.spotInstances) (not $value.spotInstances.enabled) }} diff --git a/helm/cluster-aws/values.schema.json b/helm/cluster-aws/values.schema.json index 7dbfca24..06bf60c5 100644 --- a/helm/cluster-aws/values.schema.json +++ b/helm/cluster-aws/values.schema.json @@ -1158,6 +1158,23 @@ "description": "AWS account ID owning the Flatcar Container Linux AMI.", "default": "706635527432" }, + "instanceMetadataOptions": { + "type": "object", + "title": "Instance metadata options", + "description": "Instance metadata options for the EC2 instances in the cluster.", + "properties": { + "httpTokens": { + "type": "string", + "title": "HTTP tokens", + "description": "The state of token usage for your instance metadata requests. If you set this parameter to `optional`, you can use either IMDSv1 or IMDSv2. If you set this parameter to `required`, you must use a IMDSv2 to access the instance metadata endpoint. Learn more at [What’s new in IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).", + "enum": [ + "optional", + "required" + ], + "default": "required" + } + } + }, "osImageVariant": { "type": "string", "title": "OS image variant", diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml index 2c6bccd5..3d8415da 100644 --- a/helm/cluster-aws/values.yaml +++ b/helm/cluster-aws/values.yaml @@ -223,6 +223,8 @@ global: providerSpecific: awsClusterRoleIdentityName: default flatcarAwsAccount: "706635527432" + instanceMetadataOptions: + httpTokens: required osImageVariant: "3" internal: migration: {}