-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
eks: support for blocking node-level instance metadata #31124
Comments
Thank you for bringing this to our attention. Except for baking your own launchTemplate for MNG, I didn't see any option out-of-the-box for that in cloudformation. But I noticed this:
I will reach out internally to see what we can do from CFN's perspective and improve CDK accordingly. |
internal tracking: V1486188294 |
OK I tried to create a default nodegroup using the code like this: new eks.Cluster(this, 'dummy-eks-cluster', {
clusterName: 'dummy-eks-cluster',
vpc,
version: eks.KubernetesVersion.V1_30,
kubectlLayer: new KubectlV30Layer(this, 'kubectl'),
defaultCapacity: 1,
} ) And checked the launchTemplate the manage nodegroup is associated with. I see this: So I am pretty sure:
Let me know if you have any other concerns. |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
Thanks for checking up on this. The guidance in the eks-best-practices docs are a bit counter-intuitive for me, since it recommends both "1" and "2" as topen-hop limits - its not clear to me when we'd need to set the limit to 2 and when it should be lowered to 1. But that's not CDK's fault. Thanks for checking up on this anyway! |
Describe the feature
According to https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node, its strongly recommended to disallow pods accessing the node's instance metadata.
Since this is a strong recommendation, it's troubling that cdk-eks doesn't support this for managed node groups. The only way I can see it possible to do this today, is by specifying a full node template, which kindof defeats the purpose of manage node groups.
Use Case
To follow AWS' best practices
Proposed Solution
Allow supplying an optional "metadata options" object to the node group.
Other Information
No response
Acknowledgements
CDK version used
2.151.0
Environment details (OS name and version, etc.)
Ubuntu 24
The text was updated successfully, but these errors were encountered: