Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure IMDS2 for AWS instances per default [KIM/feature] #156

Closed
2 tasks
Tracked by #112
tobiscr opened this issue Mar 18, 2024 · 5 comments
Closed
2 tasks
Tracked by #112

Configure IMDS2 for AWS instances per default [KIM/feature] #156

tobiscr opened this issue Mar 18, 2024 · 5 comments
Labels
bv/security Business Value: Security (see ISO 25010)

Comments

@tobiscr
Copy link
Contributor

tobiscr commented Mar 18, 2024
edited
Loading

Description

To increase the overall security of our AWS clusters, the default configuration in Gardener should be adjusted to use IMDS2 as default.

Currently, new worker pools are created having IMDS1 enabled (this is the default if not explicit configuration is provided). We have to adjust the shoot-spec for Gardener to use IMDS2 per default.

AC:

  • Align with SREs on the rollout of this feature as it requires a migration of old AWS instances from IMDS1 to IMDS2
  • All AWS clusters are using IMDS2 as default value, IMDS1 is no longer used
@tobiscr
Copy link
Contributor Author

tobiscr commented Mar 18, 2024

Impacts default configuration of worker pools - see also #46

@tobiscr tobiscr added the bv/security Business Value: Security (see ISO 25010) label Mar 20, 2024
@Disper
Copy link
Member

Disper commented Apr 22, 2024
edited
Loading

Relevant fragment

The instanceMetadataOptions controls access to the instance metadata service (IMDS) for members of the worker. You can do the following operations:

  • access IMDSv1 (default)
  • access IMDSv2 - httpPutResponseHopLimit >= 2
  • access IMDSv2 only (restrict access to IMDSv1) - httpPutResponseHopLimit >=2, httpTokens = "required"
  • disable access to IMDS - httpTokens = "required"

Note: The accessibility of IMDS discussed in the previous point is referenced from the point of view of containers NOT running in the host network.
By default on host network IMDSv2 is already enabled (but not accessible from inside the pods).
It is currently not possible to create a VM with complete restriction to the IMDS service. It is however possible to restrict access from inside the pods by setting httpTokens to required and not setting httpPutResponseHopLimit (or setting it to 1).
You can find more information regarding the options in the AWS documentation.

@Disper
Copy link
Member

Disper commented Apr 23, 2024
edited
Loading

Notes from today's alignment with @tobiscr and @ebensom
At the end, we need to make sure that those two fields:

  • httpPutResponseHopLimit >=2
  • httpTokens = "required"

will be configured for AWS for new clusters using a feature flag. SRE is willing to raise a PR with that change which @kyma-project/framefrog should review. Later, SRE will ensure that all shoots are upgraded to use those new values.

@Disper Disper mentioned this issue Apr 24, 2024
Open
70 tasks
@tobiscr
Copy link
Contributor Author

tobiscr commented May 8, 2024

Fix for provisioner was created by @ebensom : kyma-project/control-plane@ea75326

@tobiscr tobiscr changed the title Configure IMDS2 for AWS instances per default Configure IMDS2 for AWS instances per default [KIM/feature] Jun 26, 2024
@tobiscr
Copy link
Contributor Author

tobiscr commented Oct 9, 2024

Already covered in KIM

@tobiscr tobiscr closed this as completed Oct 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bv/security Business Value: Security (see ISO 25010)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Disper @tobiscr