Configure EC2 instance metadata options (#4037)

* Configure ec2 instance metadata options Allows configuration of EC2 instance metadata options to add IMDSv2 support. * add e2e test * refactor to reduce complexity * test machine deployment
kubernetes-sigs · Mar 7, 2023 · aa7d627 · aa7d627
1 parent 36ddbf4
commit aa7d627
Show file tree

Hide file tree

Showing 22 changed files with 636 additions and 40 deletions.
diff --git a/api/v1beta1/awscluster_conversion.go b/api/v1beta1/awscluster_conversion.go
@@ -44,6 +44,9 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 	restoreControlPlaneLoadBalancerStatus(&restored.Status.Network.APIServerELB, &dst.Status.Network.APIServerELB)
 
 	dst.Spec.S3Bucket = restored.Spec.S3Bucket
+	if restored.Status.Bastion != nil {
+		dst.Status.Bastion.InstanceMetadataOptions = restored.Status.Bastion.InstanceMetadataOptions
+	}
 
 	return nil
 }

diff --git a/api/v1beta1/awsmachine_conversion.go b/api/v1beta1/awsmachine_conversion.go
@@ -36,6 +36,7 @@ func (src *AWSMachine) ConvertTo(dstRaw conversion.Hub) error {
 	}
 
 	dst.Spec.Ignition = restored.Spec.Ignition
+	dst.Spec.InstanceMetadataOptions = restored.Spec.InstanceMetadataOptions
 
 	return nil
 }
@@ -81,6 +82,7 @@ func (r *AWSMachineTemplate) ConvertTo(dstRaw conversion.Hub) error {
 
 	dst.Spec.Template.ObjectMeta = restored.Spec.Template.ObjectMeta
 	dst.Spec.Template.Spec.Ignition = restored.Spec.Template.Spec.Ignition
+	dst.Spec.Template.Spec.InstanceMetadataOptions = restored.Spec.Template.Spec.InstanceMetadataOptions
 
 	return nil
 }

diff --git a/api/v1beta1/conversion.go b/api/v1beta1/conversion.go
@@ -43,6 +43,14 @@ func Convert_v1beta2_NetworkStatus_To_v1beta1_NetworkStatus(in *v1beta2.NetworkS
 	return autoConvert_v1beta2_NetworkStatus_To_v1beta1_NetworkStatus(in, out, s)
 }
 
+func Convert_v1beta2_AWSMachineSpec_To_v1beta1_AWSMachineSpec(in *v1beta2.AWSMachineSpec, out *AWSMachineSpec, s conversion.Scope) error {
+	return autoConvert_v1beta2_AWSMachineSpec_To_v1beta1_AWSMachineSpec(in, out, s)
+}
+
+func Convert_v1beta2_Instance_To_v1beta1_Instance(in *v1beta2.Instance, out *Instance, s conversion.Scope) error {
+	return autoConvert_v1beta2_Instance_To_v1beta1_Instance(in, out, s)
+}
+
 func Convert_v1beta1_ClassicELB_To_v1beta2_LoadBalancer(in *ClassicELB, out *v1beta2.LoadBalancer, s conversion.Scope) error {
 	out.Name = in.Name
 	out.DNSName = in.DNSName

diff --git a/api/v1beta1/zz_generated.conversion.go b/api/v1beta1/zz_generated.conversion.go
diff --git a/api/v1beta2/awsmachine_types.go b/api/v1beta2/awsmachine_types.go
@@ -51,6 +51,10 @@ type AWSMachineSpec struct {
 	// InstanceID is the EC2 instance ID for this machine.
 	InstanceID *string `json:"instanceID,omitempty"`
 
+	// InstanceMetadataOptions is the metadata options for the EC2 instance.
+	// +optional
+	InstanceMetadataOptions *InstanceMetadataOptions `json:"instanceMetadataOptions,omitempty"`
+
 	// AMI is the reference to the AMI from which to create the machine instance.
 	AMI AMIReference `json:"ami,omitempty"`
 

diff --git a/api/v1beta2/defaults.go b/api/v1beta2/defaults.go
@@ -79,3 +79,15 @@ func SetDefaults_Labels(obj *metav1.ObjectMeta) { //nolint:golint,stylecheck
 			clusterv1.ClusterctlMoveHierarchyLabelName: ""}
 	}
 }
+
+// SetDefaults_AWSMachineSpec is used by defaulter-gen.
+func SetDefaults_AWSMachineSpec(obj *AWSMachineSpec) { //nolint:golint,stylecheck
+	if obj.InstanceMetadataOptions == nil {
+		obj.InstanceMetadataOptions = &InstanceMetadataOptions{
+			HTTPEndpoint:            InstanceMetadataEndpointStateEnabled,
+			HTTPPutResponseHopLimit: 1,
+			HTTPTokens:              HTTPTokensStateRequired, // Defaults to IMDSv2
+			InstanceMetadataTags:    InstanceMetadataEndpointStateDisabled,
+		}
+	}
+}
diff --git a/api/v1beta2/types.go b/api/v1beta2/types.go
@@ -201,6 +201,83 @@ type Instance struct {
 	// IDs of the instance's volumes
 	// +optional
 	VolumeIDs []string `json:"volumeIDs,omitempty"`
+
+	// InstanceMetadataOptions is the metadata options for the EC2 instance.
+	// +optional
+	InstanceMetadataOptions *InstanceMetadataOptions `json:"instanceMetadataOptions,omitempty"`
+}
+
+// InstanceMetadataState describes the state of InstanceMetadataOptions.HttpEndpoint and InstanceMetadataOptions.InstanceMetadataTags
+type InstanceMetadataState string
+
+const (
+	// InstanceMetadataEndpointStateDisabled represents the disabled state
+	InstanceMetadataEndpointStateDisabled = InstanceMetadataState("disabled")
+
+	// InstanceMetadataEndpointStateEnabled represents the enabled state
+	InstanceMetadataEndpointStateEnabled = InstanceMetadataState("enabled")
+)
+
+// HTTPTokensState describes the state of InstanceMetadataOptions.HTTPTokensState
+type HTTPTokensState string
+
+const (
+	// HTTPTokensStateOptional represents the optional state
+	HTTPTokensStateOptional = HTTPTokensState("optional")
+
+	// HTTPTokensStateRequired represents the required state (IMDSv2)
+	HTTPTokensStateRequired = HTTPTokensState("required")
+)
+
+// InstanceMetadataOptions describes metadata options for the EC2 instance.
+type InstanceMetadataOptions struct {
+	// Enables or disables the HTTP metadata endpoint on your instances.
+	//
+	// If you specify a value of disabled, you cannot access your instance metadata.
+	//
+	// Default: enabled
+	//
+	// +kubebuilder:validation:Enum:=enabled;disabled
+	// +kubebuilder:default=enabled
+	HTTPEndpoint InstanceMetadataState `json:"httpEndpoint,omitempty"`
+
+	// The desired HTTP PUT response hop limit for instance metadata requests. The
+	// larger the number, the further instance metadata requests can travel.
+	//
+	// Default: 1
+	//
+	// +kubebuilder:validation:Minimum:=1
+	// +kubebuilder:validation:Maximum:=64
+	// +kubebuilder:default=1
+	HTTPPutResponseHopLimit int64 `json:"httpPutResponseHopLimit,omitempty"`
+
+	// The state of token usage for your instance metadata requests.
+	//
+	// If the state is optional, you can choose to retrieve instance metadata with
+	// or without a session token on your request. If you retrieve the IAM role
+	// credentials without a token, the version 1.0 role credentials are returned.
+	// If you retrieve the IAM role credentials using a valid session token, the
+	// version 2.0 role credentials are returned.
+	//
+	// If the state is required, you must send a session token with any instance
+	// metadata retrieval requests. In this state, retrieving the IAM role credentials
+	// always returns the version 2.0 credentials; the version 1.0 credentials are
+	// not available.
+	//
+	// Default: required
+	// +kubebuilder:validation:Enum:=optional;required
+	// +kubebuilder:default=required
+	HTTPTokens HTTPTokensState `json:"httpTokens,omitempty"`
+
+	// Set to enabled to allow access to instance tags from the instance metadata.
+	// Set to disabled to turn off access to instance tags from the instance metadata.
+	// For more information, see Work with instance tags using the instance metadata
+	// (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS).
+	//
+	// Default: disabled
+	// +kubebuilder:validation:Enum:=enabled;disabled
+	// +kubebuilder:default=disabled
+	InstanceMetadataTags InstanceMetadataState `json:"instanceMetadataTags,omitempty"`
 }
 
 // Volume encapsulates the configuration options for the storage device.

diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/api/v1beta2/zz_generated.defaults.go b/api/v1beta2/zz_generated.defaults.go