Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve IDMSv2 security #3796

Open
2 tasks
T-Kukawka opened this issue Dec 4, 2024 · 1 comment
Open
2 tasks

Improve IDMSv2 security #3796

T-Kukawka opened this issue Dec 4, 2024 · 1 comment
Labels
provider/cluster-api-aws Cluster API based running on AWS team/phoenix Team Phoenix

Comments

@T-Kukawka
Copy link
Contributor

CAPA GS implementation supports toggling the IMDS(instance metadata service) to v2 only. By default on any new CAPA clusters the setting global.providerSpecific.instanceMetadataOptions.httpTokens is set to required in the WC configmap.

However, while being more secured than v1, the IMDSv2 endpoint can still be abused. For the pods that are enforced not to run in the host network, there is another layer of configuration that can be performed. As stated in the official AWS documentation:

Another way to block pod IMDS access is to require IMDS version 2 (IMDSv2) to be used, and to set the maximum [hop count](https://hopzero.com/what-does-hop-count-mean/) to 1. Configuring IMDS this way will cause requests to IMDS from pods to be rejected, provided those pods do not use host networking.

Action points:

  • expose configuration of hop count on the EC2 instance settings in cluster-aws that is available in upstream CAPA implementation under: instanceMetadataOptions.HttpPutResponseHopLimit
  • configure HttpPutResponseHopLimit to be set to 1 by default
@github-project-automation github-project-automation bot moved this to Inbox 📥 in Roadmap Dec 4, 2024
@T-Kukawka T-Kukawka added team/phoenix Team Phoenix provider/cluster-api-aws Cluster API based running on AWS labels Dec 4, 2024
@T-Kukawka
Copy link
Contributor Author

Relevant issue for reverting hop=1: https://github.com/giantswarm/giantswarm/issues/22043

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
provider/cluster-api-aws Cluster API based running on AWS team/phoenix Team Phoenix
Projects
Status: Inbox 📥
Development

No branches or pull requests

1 participant