Skip to content

Commit

Permalink
Revert "Revert defaulting to IMDSv2 (#6624)" (#6631)
Browse files Browse the repository at this point in the history 
This reverts commit 30d4a91.
  • Loading branch information
@TiberiuGC
TiberiuGC committed May 23, 2023
1 parent 8d3e078 commit 478dd5e
Show file tree
Hide file tree
Showing 31 changed files with 45 additions and 44 deletions.
4 changes: 2 additions & 2 deletions examples/05-advanced-nodegroups.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ nodeGroups:
volumeType: gp2
ami: ami-05ecac759c81e0b0c
amiFamily: AmazonLinux2
# forces the use of IMDSv2 tokens
disableIMDSv1: true
# defaults to true, which enforces the use of IMDSv2 tokens
disableIMDSv1: false
labels:
nodegroup-type: frontend-workloads
iam:
Expand Down
4 changes: 2 additions & 2 deletions integration/tests/dry_run/dry_run_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ kubernetesNetworkConfig:
nodeGroups:
- amiFamily: AmazonLinux2
containerRuntime: containerd
disableIMDSv1: false
disableIMDSv1: true
disablePodIMDS: false
instanceSelector: {}
iam:
Expand Down Expand Up @@ -104,7 +104,7 @@ nodeGroups:
managedNodeGroups:
- amiFamily: AmazonLinux2
desiredCapacity: 2
disableIMDSv1: false
disableIMDSv1: true
disablePodIMDS: false
instanceSelector: {}
iam:
Expand Down
2 changes: 1 addition & 1 deletion pkg/actions/nodegroup/testdata/al2-force-false-template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/actions/nodegroup/testdata/al2-no-force-template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/actions/nodegroup/testdata/al2-updated-template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/actions/nodegroup/testdata/br-force-false-template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/actions/nodegroup/testdata/br-force-true-template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/actions/nodegroup/testdata/br-updated-template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
4 changes: 2 additions & 2 deletions pkg/apis/eksctl.io/v1alpha5/assets/schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1124,7 +1124,7 @@
"type": "boolean",
"description": "requires requests to the metadata service to use IMDSv2 tokens",
"x-intellij-html-description": "requires requests to the metadata service to use IMDSv2 tokens",
"default": false
"default": true
},
"disablePodIMDS": {
"type": "boolean",
Expand Down Expand Up @@ -1485,7 +1485,7 @@
"type": "boolean",
"description": "requires requests to the metadata service to use IMDSv2 tokens",
"x-intellij-html-description": "requires requests to the metadata service to use IMDSv2 tokens",
"default": false
"default": true
},
"disablePodIMDS": {
"type": "boolean",
Expand Down
2 changes: 1 addition & 1 deletion pkg/apis/eksctl.io/v1alpha5/defaults.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ func setNodeGroupBaseDefaults(ng *NodeGroupBase, meta *ClusterMeta) {
setDefaultNodeLabels(ng.Labels, meta.Name, ng.Name)

if ng.DisableIMDSv1 == nil {
ng.DisableIMDSv1 = Disabled()
ng.DisableIMDSv1 = Enabled()
}
if ng.DisablePodIMDS == nil {
ng.DisablePodIMDS = Disabled()
Expand Down
4 changes: 2 additions & 2 deletions pkg/apis/eksctl.io/v1alpha5/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1104,7 +1104,7 @@ func NewNodeGroup() *NodeGroup {
WithLocal: Enabled(),
WithShared: Enabled(),
},
DisableIMDSv1: Disabled(),
DisableIMDSv1: Enabled(),
DisablePodIMDS: Disabled(),
InstanceSelector: &InstanceSelector{},
},
Expand Down Expand Up @@ -1593,7 +1593,7 @@ type NodeGroupBase struct {
PropagateASGTags *bool `json:"propagateASGTags,omitempty"`

// DisableIMDSv1 requires requests to the metadata service to use IMDSv2 tokens
// Defaults to `false`
// Defaults to `true`
// +optional
DisableIMDSv1 *bool `json:"disableIMDSv1,omitempty"`

Expand Down
2 changes: 1 addition & 1 deletion pkg/apis/eksctl.io/v1alpha5/validation.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1177,7 +1177,7 @@ func ValidateManagedNodeGroup(index int, ng *ManagedNodeGroup) error {
if ng.InstanceType != "" || ng.AMI != "" || IsEnabled(ng.SSH.Allow) || IsEnabled(ng.SSH.EnableSSM) || len(ng.SSH.SourceSecurityGroupIDs) > 0 ||
ng.VolumeSize != nil || len(ng.PreBootstrapCommands) > 0 || ng.OverrideBootstrapCommand != nil ||
len(ng.SecurityGroups.AttachIDs) > 0 || ng.InstanceName != "" || ng.InstancePrefix != "" || ng.MaxPodsPerNode != 0 ||
IsEnabled(ng.DisableIMDSv1) || IsEnabled(ng.DisablePodIMDS) || ng.Placement != nil {
IsDisabled(ng.DisableIMDSv1) || IsEnabled(ng.DisablePodIMDS) || ng.Placement != nil {

incompatibleFields := []string{
"instanceType", "ami", "ssh.allow", "ssh.enableSSM", "ssh.sourceSecurityGroupIds", "securityGroups",
Expand Down
10 changes: 5 additions & 5 deletions pkg/cfn/builder/nodegroup_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -667,7 +667,7 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
Expect(properties.LaunchTemplateData.UserData).To(Equal("lovely data right here"))
Expect(properties.LaunchTemplateData.InstanceType).To(Equal("m5.large"))
Expect(properties.LaunchTemplateData.MetadataOptions.HTTPPutResponseHopLimit).To(Equal(float64(2)))
Expect(properties.LaunchTemplateData.MetadataOptions.HTTPTokens).To(Equal("optional"))
Expect(properties.LaunchTemplateData.MetadataOptions.HTTPTokens).To(Equal("required"))
Expect(properties.LaunchTemplateData.TagSpecifications).To(HaveLen(3))
Expect(properties.LaunchTemplateData.TagSpecifications[0].ResourceType).To(Equal(aws.String("instance")))
Expect(properties.LaunchTemplateData.TagSpecifications[0].Tags[0].Key).To(Equal("Name"))
Expand Down Expand Up @@ -748,14 +748,14 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
})
})

Context("ng.DisableIMDSv1 is enabled", func() {
Context("ng.DisableIMDSv1 is disabled", func() {
BeforeEach(func() {
ng.DisableIMDSv1 = aws.Bool(true)
ng.DisableIMDSv1 = aws.Bool(false)
})

It("sets HttpTokens to required on the LaunchTemplateData MetadataOptions", func() {
It("sets HttpTokens to optional on the LaunchTemplateData MetadataOptions", func() {
properties := ngTemplate.Resources["NodeGroupLaunchTemplate"].Properties
Expect(properties.LaunchTemplateData.MetadataOptions.HTTPTokens).To(Equal("required"))
Expect(properties.LaunchTemplateData.MetadataOptions.HTTPTokens).To(Equal("optional"))
})
})

Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/builder/testdata/launch_template/bottlerocket.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/builder/testdata/launch_template/bottlerocket_additional_encrypted_volume.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/builder/testdata/launch_template/bottlerocket_volume.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/builder/testdata/launch_template/custom_ami.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"ImageId": "ami-custom",
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion ...cfn/builder/testdata/launch_template/launch_template_additional_volumes_missing_size.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_id.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
},
"MetadataOptions":{
"HttpPutResponseHopLimit":2,
"HttpTokens":"optional"
"HttpTokens":"required"
},
"SecurityGroupIds":[
{
Expand Down
2 changes: 1 addition & 1 deletion ...uilder/testdata/launch_template/launch_template_with_capacity_reservation_preference.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
},
"MetadataOptions":{
"HttpPutResponseHopLimit":2,
"HttpTokens":"optional"
"HttpTokens":"required"
},
"SecurityGroupIds":[
{
Expand Down
2 changes: 1 addition & 1 deletion ...estdata/launch_template/launch_template_with_capacity_reservation_resource_group_arn.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
},
"MetadataOptions":{
"HttpPutResponseHopLimit":2,
"HttpTokens":"optional"
"HttpTokens":"required"
},
"SecurityGroupIds":[
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/builder/testdata/launch_template/placement.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"Placement": {
"GroupName": "test"
Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/builder/testdata/launch_template/spot.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/builder/testdata/launch_template/ssh_disabled.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"KeyName": "test-keypair",
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/builder/testdata/launch_template/ssh_enabled.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"KeyName": "test-keypair",
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/builder/testdata/launch_template/standard.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
],
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"SecurityGroupIds": [
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/cfn/template/testdata/nodegroup-example-1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@
"KeyName": "eksctl-test-nodegroup-n5-bd:d8:ab:d8:3a:09:95:22:91:61:9f:1c:92:b5:dc:2e",
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional"
"HttpTokens": "required"
},
"NetworkInterfaces": [
{
Expand Down
12 changes: 6 additions & 6 deletions pkg/ctl/cmdutils/filter/nodegroup_filter_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,7 @@ const expected = `
"cloudWatch": false
}
},
"disableIMDSv1": false,
"disableIMDSv1": true,
"disablePodIMDS": false,
"instanceSelector": {},
"containerRuntime": "containerd"
Expand Down Expand Up @@ -456,7 +456,7 @@ const expected = `
"cloudWatch": false
}
},
"disableIMDSv1": false,
"disableIMDSv1": true,
"disablePodIMDS": false,
"instanceSelector": {},
"containerRuntime": "containerd"
Expand Down Expand Up @@ -502,7 +502,7 @@ const expected = `
}
},
"clusterDNS": "1.2.3.4",
"disableIMDSv1": false,
"disableIMDSv1": true,
"disablePodIMDS": false,
"instanceSelector": {},
"containerRuntime": "containerd"
Expand Down Expand Up @@ -547,7 +547,7 @@ const expected = `
"cloudWatch": false
}
},
"disableIMDSv1": false,
"disableIMDSv1": true,
"disablePodIMDS": false,
"instanceSelector": {},
"containerRuntime": "containerd"
Expand Down Expand Up @@ -596,7 +596,7 @@ const expected = `
}
},
"clusterDNS": "4.2.8.14",
"disableIMDSv1": false,
"disableIMDSv1": true,
"disablePodIMDS": false,
"instanceSelector": {},
"containerRuntime": "containerd"
Expand Down Expand Up @@ -644,7 +644,7 @@ const expected = `
"cloudWatch": false
}
},
"disableIMDSv1": false,
"disableIMDSv1": true,
"disablePodIMDS": false,
"instanceSelector": {},
"containerRuntime": "containerd"
Expand Down
2 changes: 1 addition & 1 deletion userdocs/src/usage/dry-run.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ kind: ClusterConfig
managedNodeGroups:
- amiFamily: AmazonLinux2
desiredCapacity: 2
disableIMDSv1: false
disableIMDSv1: true
disablePodIMDS: false
iam:
withAddonPolicies:
Expand Down
3 changes: 2 additions & 1 deletion userdocs/src/usage/eks-managed-nodes.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,8 @@ managedNodeGroups:
volumeSize: 100
volumeName: /dev/xvda
volumeEncrypted: true
disableIMDSv1: true
# defaults to true, which enforces the use of IMDSv2 tokens
disableIMDSv1: false
overrideBootstrapCommand: |
#!/bin/bash
/etc/eks/bootstrap.sh managed-cluster --kubelet-extra-args '--node-labels=eks.amazonaws.com/nodegroup=custom-ng,eks.amazonaws.com/nodegroup-image=ami-0e124de4755b2734d'
Expand Down

0 comments on commit 478dd5e

Please sign in to comment.