Skip to content

Commit a8dd0c2

Browse files
aaurenaauren
committed
fix(aws.go): load region before attempting to assume a role
1 parent da98050 commit a8dd0c2

File tree

1 file changed

+17
-9
lines changed

1 file changed

+17
-9
lines changed

pkg/controllers/routing/aws.go

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,9 @@ const (
2323
awsMaxRetries = 5
2424
)
2525

26-
// disableSourceDestinationCheck disables src-dst check of all the VM's when cluster
27-
// is provisioned on AWS. EC2 by default drops any packets originating or destination
28-
// to a VM with IP other than that of VM's ip. This check needs to be disabled so that
29-
// cross node pod-to-pod traffic can be sent and received by a VM.
26+
// disableSourceDestinationCheck disables src-dst check of all the VM's when cluster is provisioned on AWS. EC2 by
27+
// default drops any packets originating or destination to a VM with IP other than that of VM's ip. This check needs to
28+
// be disabled so that cross node pod-to-pod traffic can be sent and received by a VM.
3029
func (nrc *NetworkRoutingController) disableSourceDestinationCheck() {
3130
nodes := nrc.nodeLister.List()
3231

@@ -44,15 +43,24 @@ func (nrc *NetworkRoutingController) disableSourceDestinationCheck() {
4443
instanceID := URL.Path
4544
instanceID = strings.Trim(instanceID, "/")
4645

47-
cfg, _ := config.LoadDefaultConfig(context.TODO(),
46+
// First, get the region from IMDS. This must be done before loading the full config because when using IRSA
47+
// (IAM Roles for Service Accounts), the STS client needs a region configured before it can assume the role to
48+
// get credentials.
49+
imdsClient := imds.New(imds.Options{})
50+
region, err := imdsClient.GetRegion(context.TODO(), &imds.GetRegionInput{})
51+
if err != nil {
52+
klog.Errorf("failed to get region from IMDS: %v", err)
53+
return
54+
}
55+
56+
// Now load the full AWS config with the region already set
57+
cfg, err := config.LoadDefaultConfig(context.TODO(),
58+
config.WithRegion(region.Region),
4859
config.WithRetryMaxAttempts(awsMaxRetries))
49-
metadataClient := imds.NewFromConfig(cfg)
50-
region, err := metadataClient.GetRegion(context.TODO(), &imds.GetRegionInput{})
5160
if err != nil {
52-
klog.Errorf("failed to disable source destination check due to: %v", err)
61+
klog.Errorf("failed to load AWS config: %v", err)
5362
return
5463
}
55-
cfg.Region = region.Region
5664
ec2Client := ec2.NewFromConfig(cfg)
5765
_, err = ec2Client.ModifyInstanceAttribute(context.TODO(),
5866
&ec2.ModifyInstanceAttributeInput{

0 commit comments

Comments
 (0)