Add support for AWS IMDS v2

[bharath-123]

This PR adds support for enabling instance metadata v2 support on aws kops clusters. This can enable users to allow only IMDv2 on their instances to securely fetch their instance metadata.

I have tested this out by creating kops clusters and ssh into the nodes to check whether IMDv1 was unauthorized or not.

Have added support for launch configuration and launch templates for now.

Fixes: 9970

[k8s-ci-robot]

Hi @bharath-123. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bharath-123]

/assign @rifelpet

[bharath-123]

I will rebase the PR. forgot to run make gofmt and co :)

[rifelpet]

The new API fields look good to me but I'll let others review as well. Thanks for doing this!

Let me know if you need help with the new cloudmock functions.

[bharath-123]

@rifelpet I think this should be feature complete. Have fixed up the integration tests by mocking CreateLaunchTemplateVersion in the cloudmock. Do review it

[rifelpet]

/ok-to-test

[olemarkus]

Would 1 actually work with kops? Don't we have containers that use the IMDS?

[bharath-123]

are you referencing to IMDv1 or httpPutResponseLimit?

[bharath-123]

I believe your referring to the httpPutHopReponseLimit if i m right. I was not aware of the fact that we had some containers using IMDS in kops. I will cross check this with aws documentation.

[bharath-123]

I believe the IMDS is a special link local address as stated in the aws docs. This may not be an issue. But I am not sure whether overlay networks like Calico will subtract the ttl before sending it out of the cluster.

I believe AWS kept the default ttl 1 to mitigate issues against misconfigured NAT and router instances.
IMDv2

[olemarkus]

I refer to HttpPutResponseHopLimit yes. TTL of 1 would mean no routing. So pods with hostNetwork will work, but pods using overlay IPs will not. CNIs using ENIs (lyft, cilium-eni, vpc) will probably also work, while those using overlay networks will not.

[bharath-123]

thanks for this insight.

@olemarkus correct me if I wrong here. when i grepped for 169.254.169.254 ip, i see it being used only here https://github.com/kubernetes/kops/blob/master/upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/v0.1.12.yaml
in the context of a container. hostNetworking is enabled for this container. I think a ttl of 1 should work in this case, if this is the only container in kops which is accessing the instance metadata service.

[olemarkus]

Fairly sure there are more containers using it, but I cannot think of anything using overlay network.
Easy enough to change later if this fails.

[bharath-123]

got it. makes sense.

[olemarkus]

Could you change References: #9970 to Fixes #9970? Github will link the PR and issue then.

[bharath-123]

@olemarkus apologies for the late reply. We just finished doing an A/B upgrade of our production k8s clusters. had no sleep for 2 days :)

I actually believe it is already linked to the issue. I just felt that this PR does not fix anything as much as it is adding a new feature.

I shall change it regardless.

[hakman]

@bharath-123 I found a few ways to simplify things and also added various comments changes. After adding these changes, please squash the commits to be easier to do another review pass.

[hakman]

Nice. I think these are pretty much the last changes from my point of view. Please squash the code changes into a single commit.

@rifelpet @olemarkus please take another look at this before merging.

[hakman]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bharath-123, hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [hakman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[seh]

I've found that this breaks using Terraform 0.12.26, with an error message like this:

Error: error creating Launch Template (lt-0f27a1c3cb68aba0f) Version: InvalidParameterValue: A value of ‘’ is not valid for http-endpoint. Valid values are ‘enabled’ or ‘disabled’.
	status code: 400, request id: fd0c6d8c-ad70-4877-9adf-00e6e35f2edc

  on kubernetes.tf line 695, in resource "aws_launch_template" "bastions-redacted":
 695: resource "aws_launch_template" "bastions-redacted" {

There's an open Terraform issue describing this problem: hashicorp/terraform-provider-aws#12564. If I add the "http_endpoint" attribute in manually, it works. The documentation for that attribute says that it's optional with a reasonable default value, but in practice either Terraform is not sending a value at all, or it's sending the wrong value.

[hakman]

Using terraform is such a joy... Never a dull moment. 😁

[seh]

Please see #10393.