diff --git a/examples/05-advanced-nodegroups.yaml b/examples/05-advanced-nodegroups.yaml index cce063ee3f..ef513e9bd9 100644 --- a/examples/05-advanced-nodegroups.yaml +++ b/examples/05-advanced-nodegroups.yaml @@ -16,8 +16,8 @@ nodeGroups: volumeType: gp2 ami: ami-05ecac759c81e0b0c amiFamily: AmazonLinux2 - # forces the use of IMDSv2 tokens - disableIMDSv1: true + # defaults to true, which enforces the use of IMDSv2 tokens + disableIMDSv1: false labels: nodegroup-type: frontend-workloads iam: diff --git a/integration/tests/dry_run/dry_run_test.go b/integration/tests/dry_run/dry_run_test.go index 09a73114a7..184684e206 100644 --- a/integration/tests/dry_run/dry_run_test.go +++ b/integration/tests/dry_run/dry_run_test.go @@ -68,7 +68,7 @@ kubernetesNetworkConfig: nodeGroups: - amiFamily: AmazonLinux2 containerRuntime: containerd - disableIMDSv1: false + disableIMDSv1: true disablePodIMDS: false instanceSelector: {} iam: @@ -104,7 +104,7 @@ nodeGroups: managedNodeGroups: - amiFamily: AmazonLinux2 desiredCapacity: 2 - disableIMDSv1: false + disableIMDSv1: true disablePodIMDS: false instanceSelector: {} iam: diff --git a/pkg/actions/nodegroup/testdata/al2-force-false-template.json b/pkg/actions/nodegroup/testdata/al2-force-false-template.json index e67f94ad14..f0d32145d4 100644 --- a/pkg/actions/nodegroup/testdata/al2-force-false-template.json +++ b/pkg/actions/nodegroup/testdata/al2-force-false-template.json @@ -38,7 +38,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/actions/nodegroup/testdata/al2-no-force-template.json b/pkg/actions/nodegroup/testdata/al2-no-force-template.json index 3d46f1febc..f0389bfd79 100644 --- a/pkg/actions/nodegroup/testdata/al2-no-force-template.json +++ b/pkg/actions/nodegroup/testdata/al2-no-force-template.json @@ -38,7 +38,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/actions/nodegroup/testdata/al2-updated-template.json b/pkg/actions/nodegroup/testdata/al2-updated-template.json index cd3f87fafb..4521492038 100644 --- a/pkg/actions/nodegroup/testdata/al2-updated-template.json +++ b/pkg/actions/nodegroup/testdata/al2-updated-template.json @@ -38,7 +38,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/actions/nodegroup/testdata/br-force-false-template.json b/pkg/actions/nodegroup/testdata/br-force-false-template.json index 2f623b17a1..89079105c9 100644 --- a/pkg/actions/nodegroup/testdata/br-force-false-template.json +++ b/pkg/actions/nodegroup/testdata/br-force-false-template.json @@ -39,7 +39,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/actions/nodegroup/testdata/br-force-true-template.json b/pkg/actions/nodegroup/testdata/br-force-true-template.json index a4dab6a897..ba43850044 100644 --- a/pkg/actions/nodegroup/testdata/br-force-true-template.json +++ b/pkg/actions/nodegroup/testdata/br-force-true-template.json @@ -39,7 +39,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/actions/nodegroup/testdata/br-updated-template.json b/pkg/actions/nodegroup/testdata/br-updated-template.json index 038ecb7917..9dd444623a 100644 --- a/pkg/actions/nodegroup/testdata/br-updated-template.json +++ b/pkg/actions/nodegroup/testdata/br-updated-template.json @@ -38,7 +38,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json index be32b5322c..abc2f1841b 100755 --- a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json +++ b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json @@ -1124,7 +1124,7 @@ "type": "boolean", "description": "requires requests to the metadata service to use IMDSv2 tokens", "x-intellij-html-description": "requires requests to the metadata service to use IMDSv2 tokens", - "default": false + "default": true }, "disablePodIMDS": { "type": "boolean", @@ -1485,7 +1485,7 @@ "type": "boolean", "description": "requires requests to the metadata service to use IMDSv2 tokens", "x-intellij-html-description": "requires requests to the metadata service to use IMDSv2 tokens", - "default": false + "default": true }, "disablePodIMDS": { "type": "boolean", diff --git a/pkg/apis/eksctl.io/v1alpha5/defaults.go b/pkg/apis/eksctl.io/v1alpha5/defaults.go index d654bcfe48..a04dc374fc 100644 --- a/pkg/apis/eksctl.io/v1alpha5/defaults.go +++ b/pkg/apis/eksctl.io/v1alpha5/defaults.go @@ -163,7 +163,7 @@ func setNodeGroupBaseDefaults(ng *NodeGroupBase, meta *ClusterMeta) { setDefaultNodeLabels(ng.Labels, meta.Name, ng.Name) if ng.DisableIMDSv1 == nil { - ng.DisableIMDSv1 = Disabled() + ng.DisableIMDSv1 = Enabled() } if ng.DisablePodIMDS == nil { ng.DisablePodIMDS = Disabled() diff --git a/pkg/apis/eksctl.io/v1alpha5/types.go b/pkg/apis/eksctl.io/v1alpha5/types.go index d6c3fe52f7..7a81a78e16 100644 --- a/pkg/apis/eksctl.io/v1alpha5/types.go +++ b/pkg/apis/eksctl.io/v1alpha5/types.go @@ -1104,7 +1104,7 @@ func NewNodeGroup() *NodeGroup { WithLocal: Enabled(), WithShared: Enabled(), }, - DisableIMDSv1: Disabled(), + DisableIMDSv1: Enabled(), DisablePodIMDS: Disabled(), InstanceSelector: &InstanceSelector{}, }, @@ -1593,7 +1593,7 @@ type NodeGroupBase struct { PropagateASGTags *bool `json:"propagateASGTags,omitempty"` // DisableIMDSv1 requires requests to the metadata service to use IMDSv2 tokens - // Defaults to `false` + // Defaults to `true` // +optional DisableIMDSv1 *bool `json:"disableIMDSv1,omitempty"` diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go index eaf5503582..4a1d012464 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation.go @@ -1177,7 +1177,7 @@ func ValidateManagedNodeGroup(index int, ng *ManagedNodeGroup) error { if ng.InstanceType != "" || ng.AMI != "" || IsEnabled(ng.SSH.Allow) || IsEnabled(ng.SSH.EnableSSM) || len(ng.SSH.SourceSecurityGroupIDs) > 0 || ng.VolumeSize != nil || len(ng.PreBootstrapCommands) > 0 || ng.OverrideBootstrapCommand != nil || len(ng.SecurityGroups.AttachIDs) > 0 || ng.InstanceName != "" || ng.InstancePrefix != "" || ng.MaxPodsPerNode != 0 || - IsEnabled(ng.DisableIMDSv1) || IsEnabled(ng.DisablePodIMDS) || ng.Placement != nil { + IsDisabled(ng.DisableIMDSv1) || IsEnabled(ng.DisablePodIMDS) || ng.Placement != nil { incompatibleFields := []string{ "instanceType", "ami", "ssh.allow", "ssh.enableSSM", "ssh.sourceSecurityGroupIds", "securityGroups", diff --git a/pkg/cfn/builder/nodegroup_test.go b/pkg/cfn/builder/nodegroup_test.go index bf151205cf..c09965eb1b 100644 --- a/pkg/cfn/builder/nodegroup_test.go +++ b/pkg/cfn/builder/nodegroup_test.go @@ -667,7 +667,7 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() { Expect(properties.LaunchTemplateData.UserData).To(Equal("lovely data right here")) Expect(properties.LaunchTemplateData.InstanceType).To(Equal("m5.large")) Expect(properties.LaunchTemplateData.MetadataOptions.HTTPPutResponseHopLimit).To(Equal(float64(2))) - Expect(properties.LaunchTemplateData.MetadataOptions.HTTPTokens).To(Equal("optional")) + Expect(properties.LaunchTemplateData.MetadataOptions.HTTPTokens).To(Equal("required")) Expect(properties.LaunchTemplateData.TagSpecifications).To(HaveLen(3)) Expect(properties.LaunchTemplateData.TagSpecifications[0].ResourceType).To(Equal(aws.String("instance"))) Expect(properties.LaunchTemplateData.TagSpecifications[0].Tags[0].Key).To(Equal("Name")) @@ -748,14 +748,14 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() { }) }) - Context("ng.DisableIMDSv1 is enabled", func() { + Context("ng.DisableIMDSv1 is disabled", func() { BeforeEach(func() { - ng.DisableIMDSv1 = aws.Bool(true) + ng.DisableIMDSv1 = aws.Bool(false) }) - It("sets HttpTokens to required on the LaunchTemplateData MetadataOptions", func() { + It("sets HttpTokens to optional on the LaunchTemplateData MetadataOptions", func() { properties := ngTemplate.Resources["NodeGroupLaunchTemplate"].Properties - Expect(properties.LaunchTemplateData.MetadataOptions.HTTPTokens).To(Equal("required")) + Expect(properties.LaunchTemplateData.MetadataOptions.HTTPTokens).To(Equal("optional")) }) }) diff --git a/pkg/cfn/builder/testdata/launch_template/bottlerocket.json b/pkg/cfn/builder/testdata/launch_template/bottlerocket.json index 329419c4b7..ca23edcee5 100644 --- a/pkg/cfn/builder/testdata/launch_template/bottlerocket.json +++ b/pkg/cfn/builder/testdata/launch_template/bottlerocket.json @@ -16,7 +16,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/cfn/builder/testdata/launch_template/bottlerocket_additional_encrypted_volume.json b/pkg/cfn/builder/testdata/launch_template/bottlerocket_additional_encrypted_volume.json index c4d2530a61..76378dec2c 100644 --- a/pkg/cfn/builder/testdata/launch_template/bottlerocket_additional_encrypted_volume.json +++ b/pkg/cfn/builder/testdata/launch_template/bottlerocket_additional_encrypted_volume.json @@ -24,7 +24,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/cfn/builder/testdata/launch_template/bottlerocket_volume.json b/pkg/cfn/builder/testdata/launch_template/bottlerocket_volume.json index 6132f7a14c..22db2877f5 100644 --- a/pkg/cfn/builder/testdata/launch_template/bottlerocket_volume.json +++ b/pkg/cfn/builder/testdata/launch_template/bottlerocket_volume.json @@ -16,7 +16,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/cfn/builder/testdata/launch_template/custom_ami.json b/pkg/cfn/builder/testdata/launch_template/custom_ami.json index 45a252a274..9ec72b133d 100644 --- a/pkg/cfn/builder/testdata/launch_template/custom_ami.json +++ b/pkg/cfn/builder/testdata/launch_template/custom_ami.json @@ -17,7 +17,7 @@ "ImageId": "ami-custom", "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes.json b/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes.json index e775a74793..1699a3af4d 100644 --- a/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes.json +++ b/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes.json @@ -27,7 +27,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes_missing_size.json b/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes_missing_size.json index 60a6490d5c..7551dbbb91 100644 --- a/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes_missing_size.json +++ b/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes_missing_size.json @@ -26,7 +26,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_id.json b/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_id.json index 91db8b7c1c..2223e06ebd 100644 --- a/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_id.json +++ b/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_id.json @@ -21,7 +21,7 @@ }, "MetadataOptions":{ "HttpPutResponseHopLimit":2, - "HttpTokens":"optional" + "HttpTokens":"required" }, "SecurityGroupIds":[ { diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_preference.json b/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_preference.json index f56decbd6c..81e51c9af7 100644 --- a/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_preference.json +++ b/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_preference.json @@ -19,7 +19,7 @@ }, "MetadataOptions":{ "HttpPutResponseHopLimit":2, - "HttpTokens":"optional" + "HttpTokens":"required" }, "SecurityGroupIds":[ { diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_resource_group_arn.json b/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_resource_group_arn.json index 7c55133dd0..c80518e7d8 100644 --- a/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_resource_group_arn.json +++ b/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_resource_group_arn.json @@ -21,7 +21,7 @@ }, "MetadataOptions":{ "HttpPutResponseHopLimit":2, - "HttpTokens":"optional" + "HttpTokens":"required" }, "SecurityGroupIds":[ { diff --git a/pkg/cfn/builder/testdata/launch_template/placement.json b/pkg/cfn/builder/testdata/launch_template/placement.json index e34c6b5dcf..7f89e49d13 100644 --- a/pkg/cfn/builder/testdata/launch_template/placement.json +++ b/pkg/cfn/builder/testdata/launch_template/placement.json @@ -16,7 +16,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "Placement": { "GroupName": "test" diff --git a/pkg/cfn/builder/testdata/launch_template/spot.json b/pkg/cfn/builder/testdata/launch_template/spot.json index 2fff983123..604363fe12 100644 --- a/pkg/cfn/builder/testdata/launch_template/spot.json +++ b/pkg/cfn/builder/testdata/launch_template/spot.json @@ -16,7 +16,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/cfn/builder/testdata/launch_template/ssh_disabled.json b/pkg/cfn/builder/testdata/launch_template/ssh_disabled.json index d7f937ae4e..61296969ad 100644 --- a/pkg/cfn/builder/testdata/launch_template/ssh_disabled.json +++ b/pkg/cfn/builder/testdata/launch_template/ssh_disabled.json @@ -17,7 +17,7 @@ "KeyName": "test-keypair", "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/cfn/builder/testdata/launch_template/ssh_enabled.json b/pkg/cfn/builder/testdata/launch_template/ssh_enabled.json index 9f2bac4fd8..3a89b1c022 100644 --- a/pkg/cfn/builder/testdata/launch_template/ssh_enabled.json +++ b/pkg/cfn/builder/testdata/launch_template/ssh_enabled.json @@ -17,7 +17,7 @@ "KeyName": "test-keypair", "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/cfn/builder/testdata/launch_template/standard.json b/pkg/cfn/builder/testdata/launch_template/standard.json index 59706b3bb9..eeeb044596 100644 --- a/pkg/cfn/builder/testdata/launch_template/standard.json +++ b/pkg/cfn/builder/testdata/launch_template/standard.json @@ -16,7 +16,7 @@ ], "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "SecurityGroupIds": [ { diff --git a/pkg/cfn/template/testdata/nodegroup-example-1.json b/pkg/cfn/template/testdata/nodegroup-example-1.json index 5afbcb7e0c..e7dc35897e 100644 --- a/pkg/cfn/template/testdata/nodegroup-example-1.json +++ b/pkg/cfn/template/testdata/nodegroup-example-1.json @@ -136,7 +136,7 @@ "KeyName": "eksctl-test-nodegroup-n5-bd:d8:ab:d8:3a:09:95:22:91:61:9f:1c:92:b5:dc:2e", "MetadataOptions": { "HttpPutResponseHopLimit": 2, - "HttpTokens": "optional" + "HttpTokens": "required" }, "NetworkInterfaces": [ { diff --git a/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go b/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go index 0d74244bda..5ea70b6385 100644 --- a/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go +++ b/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go @@ -411,7 +411,7 @@ const expected = ` "cloudWatch": false } }, - "disableIMDSv1": false, + "disableIMDSv1": true, "disablePodIMDS": false, "instanceSelector": {}, "containerRuntime": "containerd" @@ -456,7 +456,7 @@ const expected = ` "cloudWatch": false } }, - "disableIMDSv1": false, + "disableIMDSv1": true, "disablePodIMDS": false, "instanceSelector": {}, "containerRuntime": "containerd" @@ -502,7 +502,7 @@ const expected = ` } }, "clusterDNS": "1.2.3.4", - "disableIMDSv1": false, + "disableIMDSv1": true, "disablePodIMDS": false, "instanceSelector": {}, "containerRuntime": "containerd" @@ -547,7 +547,7 @@ const expected = ` "cloudWatch": false } }, - "disableIMDSv1": false, + "disableIMDSv1": true, "disablePodIMDS": false, "instanceSelector": {}, "containerRuntime": "containerd" @@ -596,7 +596,7 @@ const expected = ` } }, "clusterDNS": "4.2.8.14", - "disableIMDSv1": false, + "disableIMDSv1": true, "disablePodIMDS": false, "instanceSelector": {}, "containerRuntime": "containerd" @@ -644,7 +644,7 @@ const expected = ` "cloudWatch": false } }, - "disableIMDSv1": false, + "disableIMDSv1": true, "disablePodIMDS": false, "instanceSelector": {}, "containerRuntime": "containerd" diff --git a/userdocs/src/usage/dry-run.md b/userdocs/src/usage/dry-run.md index a50f0dc9cc..7ad337e681 100644 --- a/userdocs/src/usage/dry-run.md +++ b/userdocs/src/usage/dry-run.md @@ -21,7 +21,7 @@ kind: ClusterConfig managedNodeGroups: - amiFamily: AmazonLinux2 desiredCapacity: 2 - disableIMDSv1: false + disableIMDSv1: true disablePodIMDS: false iam: withAddonPolicies: diff --git a/userdocs/src/usage/eks-managed-nodes.md b/userdocs/src/usage/eks-managed-nodes.md index 594c860995..be8f94e183 100644 --- a/userdocs/src/usage/eks-managed-nodes.md +++ b/userdocs/src/usage/eks-managed-nodes.md @@ -136,7 +136,8 @@ managedNodeGroups: volumeSize: 100 volumeName: /dev/xvda volumeEncrypted: true - disableIMDSv1: true + # defaults to true, which enforces the use of IMDSv2 tokens + disableIMDSv1: false overrideBootstrapCommand: | #!/bin/bash /etc/eks/bootstrap.sh managed-cluster --kubelet-extra-args '--node-labels=eks.amazonaws.com/nodegroup=custom-ng,eks.amazonaws.com/nodegroup-image=ami-0e124de4755b2734d'