Support IMDSv1 and IMDSv2 #9962
Conversation
hanshuebner
force-pushed
the
imdsv2_fix
branch
from
23b8974 to
ded2d02
Compare
hanshuebner
force-pushed
the
imdsv2_fix
branch
3 times, most recently
from
7ed96a0 to
866078f
Compare
hanshuebner
changed the title
This adds optional support for the IMDSv2 protocol. By default, the aws-lambda plugin will use the IMDSv1 protocol to retrieve the instance role. Users can configure it to use IMDSv2 instead by setting the configuration parameter `aws_imds_protocol_version` to `v2`. The default for the parameter is `v1` to ensure that installations that run Kong inside of Docker on EC2 will continue to work unchanged. Signed-off-by: Ivan Savcic <isavcic@gmail.com>
hanshuebner
force-pushed
the
imdsv2_fix
branch
from
866078f to
d4585bc
Compare
There was a problem hiding this comment.
Code LGTM with nitpick, and please add a user doc for the new config field.
Tested on EC2 with both IMDSv1/v2 and it seems working well.
Perhaps we should consider change the default to v2 in next major version as I saw some of these official SDKs are using IMDSv2 as a default behavior(e.g. aws-go-sdk)
|
Is this missing a documentation PR? |
|
|
@windmgc Harry asked whether we could auto-detect the IMDS protocol version and we discussed the matter in Slack. The issue with defaulting to IMDSv2 is that with container deployments in EC2, the EC2 instance metadata needs to be explicitly configured to make IMDSv2 work. It would be possible to autodetect the protocol version, but that'd come at the cost of delaying the initial requests making use of the AWS Lambda plugin. We feel that this would impact too many customers, so the configuration of the protocol version will remain explicit for now. |
This PR added these features for admins. 1. The admin's belong workspace can be updated after selection. 2. The admin can't update their own belong workspace. KM-402
This supersedes #8382 by Ivan Savcic isavcic@gmail.com to fix tests.
Fixes FTI-4536 FTI-1889
Relates to CSRE-663