-
Feature Request
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
None
-
None
-
None
-
-
None
-
None
-
None
-
None
-
None
1. Proposed title of this feature request
EC2 Instance Metadata Service (IMDS) version configurability on HCP node pools.
Today, when instances are run, OpenShift explicitly sets the IMDS v2 metadata options. This configuration makes imdsv2-optional. AWS is moving to imdsv2-required and also beginning to default in different clients. I've an idea: can we stop setting IMDS metadata options when running instance so that customers (or AWS) can handle this at their cloud level? AWS has introduced a way[1] to define IMDS defaults at account+region level which will be in effect when no IMDS configuration is done while running instance. As this changes the defaults - we can plan this along with y-version so customers ACK?
2. What is the nature and description of the request?
OCP/MAPI creates EC2 instances as part of MachineSets. The EC2 instances created by default allow AWS EC2 IMDS v1 and v2. There's no ability to modify this configuration in OCP/MAPI or CPMS.
3. Why does the customer need this? (List the business requirements here)
IMDSv2 is more secure than IMDSv1 because of requirement to use short lived tokens when accessing IMDS endpoint from the instance or an application pod running on the instance.
Customers could override directly in the EC2 but will that work when new nodes are created through autoscaling or auto-healing.
Enterprise environments have IAM or SCP policy that requires instances be created only with IMDSv2. In such environments, it is not possible to create HCP clusters.
4. List any affected packages or components.
MAPI