Set httpPutResponseHopLimit to 2 when creating instances

api/v1beta2/awsmachinetemplate_webhook_test.go

@@ -127,7 +127,7 @@ func TestAWSMachineTemplateValidateUpdate(t *testing.T) {
 							InstanceType: "test",
 							InstanceMetadataOptions: &InstanceMetadataOptions{
 								HTTPEndpoint:            InstanceMetadataEndpointStateEnabled,
-								HTTPPutResponseHopLimit: 1,
+								HTTPPutResponseHopLimit: 2,
 								HTTPTokens:              HTTPTokensStateRequired,
 								InstanceMetadataTags:    InstanceMetadataEndpointStateDisabled,
 							},

api/v1beta2/types.go

@@ -285,7 +285,7 @@ func (obj *InstanceMetadataOptions) SetDefaults() {
 		obj.HTTPEndpoint = InstanceMetadataEndpointStateEnabled
 	}
 	if obj.HTTPPutResponseHopLimit == 0 {
-		obj.HTTPPutResponseHopLimit = 1
+		obj.HTTPPutResponseHopLimit = 2 // Defaults to 2 in container environment
 	}
 	if obj.HTTPTokens == "" {
 		obj.HTTPTokens = HTTPTokensStateRequired // Defaults to IMDSv2

controllers/awsmachine_controller_unit_test.go

@@ -2551,7 +2551,7 @@ func TestAWSMachineReconcilerReconcileDefaultsToLoadBalancerTypeClassic(t *testi
 						},
 						MetadataOptions: &ec2.InstanceMetadataOptionsResponse{
 							HttpEndpoint:            aws.String(string(infrav1.InstanceMetadataEndpointStateEnabled)),
-							HttpPutResponseHopLimit: aws.Int64(1),
+							HttpPutResponseHopLimit: aws.Int64(2),
 							HttpTokens:              aws.String(string(infrav1.HTTPTokensStateRequired)),
 							InstanceMetadataTags:    aws.String(string(infrav1.InstanceMetadataEndpointStateDisabled)),
 						},

docs/book/src/topics/instance-metadata.md

@@ -6,6 +6,7 @@ Instance metadata is data about your instance that you can use to configure or m
 * Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
 
 CAPA defaults to IMDSv2 when creating instances, as it provides a [better level of security](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/).
+CAPA defaults to 2 hot limit when creating instances with IMDSv2, as it is recommended in container environment according to [AWS document](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#imds-considerations).
 
 It is possible to configure the instance metadata options using the field called `instanceMetadataOptions` in the `AWSMachineTemplate`.
 
@@ -21,7 +22,7 @@ spec:
     spec:
       instanceMetadataOptions:
         httpEndpoint: enabled
-        httpPutResponseHopLimit: 1
+        httpPutResponseHopLimit: 2
         httpTokens: required
         instanceMetadataTags: disabled
 ```