-
Epic
-
Resolution: Done
-
Critical
-
None
-
Support for IMDSv2 and IMDSv1 configuration from AWS EC2 machinesets - Openshift 4.
-
False
-
False
-
Green
-
To Do
-
Impediment
-
0% To Do, 33% In Progress, 67% Done
###################
ISSUE DESCRIPTION
###################
- Based on the official release of 4.7 and onwards from following bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1899220
Ignition now supports fetching configs on AWS from Instance Metadata Service Version 2 (IMDSv2). With this enhancement, AWS EC2 instances can be created with IMDSv1 disabled so that IMDSv2 is needed to read the Ignition config from instance user data. As a result, Ignition successfully reads its config from instance user data, regardless of whether IMDSv1 is enabled or not. - There should be a way to configure IMDSv1/IMDSv2 from AWS machineset perspective.
- From RHCOS/FCOS perspective, there is no knob to configure an EC2 machine with IMDSv2 on the fly for Ignition/machineconfig. Ignition helps to configure the VM based on the settings (IMDSv1/v2) provided by EC2
- This use-case is not handled by Ignition as described. Ignition just identifies the metadata service configured by the given VM IN EC2 and takes appropriate action accordingly. So for e.g If the VM is configured manually to use IMDSv2, then it sets that option, else it falls back to IMDSv1. }}{
###################
CURRENT SCENARIO
###################
- Right now, it is possible to test it manually from EC2 perspective:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
However, this requires a manual approach and if we're working with machinesets in Openshift 4, we find out that new machinesets are manually set by defualt to IMDSV1, which breaks the security perspective of automation of machines from OCP 4 perspective.
###################
EXPECTATION OF RFE.
###################
- The problem is that this kind of manual approach to force IMDSv2 when working with machinesets is tedious and for example machine-api does not offer any kind of option to force ec2 metadata options, making this approach non-possible to be automated from OCP perspective.
- Current approach of RFE is to see if we can configure an option to select IMDSv2|IMDSv1 around new machines populated from machinesets/autoscaler automatically in machineset option.
- Workaround for now: To set IMDSV2 manually in each instance, which breaks the security model enterprises as those are obviously initiated in IMDVS1 by default.
There are no Sub-Tasks for this issue.