Merge pull request #4384 from stefanmcshane/main

IMDSv2 on AWSManagedMachinePool

Author: k8s-ci-robot

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinepools.yaml

@@ -623,6 +623,59 @@ spec:
                     description: ImageLookupOrg is the AWS Organization ID to use
                       for image lookup if AMI is not set.
                     type: string
+                  instanceMetadataOptions:
+                    description: InstanceMetadataOptions defines the behavior for
+                      applying metadata to instances.
+                    properties:
+                      httpEndpoint:
+                        default: enabled
+                        description: "Enables or disables the HTTP metadata endpoint
+                          on your instances. \n If you specify a value of disabled,
+                          you cannot access your instance metadata. \n Default: enabled"
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
+                      httpPutResponseHopLimit:
+                        default: 1
+                        description: "The desired HTTP PUT response hop limit for
+                          instance metadata requests. The larger the number, the further
+                          instance metadata requests can travel. \n Default: 1"
+                        format: int64
+                        maximum: 64
+                        minimum: 1
+                        type: integer
+                      httpTokens:
+                        default: optional
+                        description: "The state of token usage for your instance metadata
+                          requests. \n If the state is optional, you can choose to
+                          retrieve instance metadata with or without a session token
+                          on your request. If you retrieve the IAM role credentials
+                          without a token, the version 1.0 role credentials are returned.
+                          If you retrieve the IAM role credentials using a valid session
+                          token, the version 2.0 role credentials are returned. \n
+                          If the state is required, you must send a session token
+                          with any instance metadata retrieval requests. In this state,
+                          retrieving the IAM role credentials always returns the version
+                          2.0 credentials; the version 1.0 credentials are not available.
+                          \n Default: optional"
+                        enum:
+                        - optional
+                        - required
+                        type: string
+                      instanceMetadataTags:
+                        default: disabled
+                        description: "Set to enabled to allow access to instance tags
+                          from the instance metadata. Set to disabled to turn off
+                          access to instance tags from the instance metadata. For
+                          more information, see Work with instance tags using the
+                          instance metadata (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS).
+                          \n Default: disabled"
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
+                    type: object
                   instanceType:
                     description: 'InstanceType is the type of instance to create.
                       Example: m4.xlarge'

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml

@@ -611,6 +611,59 @@ spec:
                     description: ImageLookupOrg is the AWS Organization ID to use
                       for image lookup if AMI is not set.
                     type: string
+                  instanceMetadataOptions:
+                    description: InstanceMetadataOptions defines the behavior for
+                      applying metadata to instances.
+                    properties:
+                      httpEndpoint:
+                        default: enabled
+                        description: "Enables or disables the HTTP metadata endpoint
+                          on your instances. \n If you specify a value of disabled,
+                          you cannot access your instance metadata. \n Default: enabled"
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
+                      httpPutResponseHopLimit:
+                        default: 1
+                        description: "The desired HTTP PUT response hop limit for
+                          instance metadata requests. The larger the number, the further
+                          instance metadata requests can travel. \n Default: 1"
+                        format: int64
+                        maximum: 64
+                        minimum: 1
+                        type: integer
+                      httpTokens:
+                        default: optional
+                        description: "The state of token usage for your instance metadata
+                          requests. \n If the state is optional, you can choose to
+                          retrieve instance metadata with or without a session token
+                          on your request. If you retrieve the IAM role credentials
+                          without a token, the version 1.0 role credentials are returned.
+                          If you retrieve the IAM role credentials using a valid session
+                          token, the version 2.0 role credentials are returned. \n
+                          If the state is required, you must send a session token
+                          with any instance metadata retrieval requests. In this state,
+                          retrieving the IAM role credentials always returns the version
+                          2.0 credentials; the version 1.0 credentials are not available.
+                          \n Default: optional"
+                        enum:
+                        - optional
+                        - required
+                        type: string
+                      instanceMetadataTags:
+                        default: disabled
+                        description: "Set to enabled to allow access to instance tags
+                          from the instance metadata. Set to disabled to turn off
+                          access to instance tags from the instance metadata. For
+                          more information, see Work with instance tags using the
+                          instance metadata (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS).
+                          \n Default: disabled"
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
+                    type: object
                   instanceType:
                     description: 'InstanceType is the type of instance to create.
                       Example: m4.xlarge'

docs/book/src/topics/instance-metadata.md

@@ -2,8 +2,8 @@
 
 Instance metadata is data about your instance that you can use to configure or manage the running instance which you can access from a running instance using one of the following methods:
 
-* Instance Metadata Service Version 1 (IMDSv1) – a request/response method
-* Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
+- Instance Metadata Service Version 1 (IMDSv1) – a request/response method
+- Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
 
 CAPA defaults to use IMDSv2 as optional property when creating instances.
 
@@ -12,6 +12,7 @@ CAPA expose options to configure IMDSv2 as required when creating instances, as
 It is possible to configure the instance metadata options using the field called `instanceMetadataOptions` in the `AWSMachineTemplate`.
 
 Example:
+
 ```yaml
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
@@ -31,8 +32,66 @@ spec:
 To use IMDSv2, simply set `httpTokens` value to `required` (in other words, set the use of IMDSv2 to required).
 To use IMDSv2, please also set `httpPutResponseHopLimit` value to `2`, as it is recommended in container environment according to [AWS document](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#imds-considerations).
 
+Similarly, this can be done with `AWSManagedMachinePool` for use with EKS Managed Nodegroups. One slight difference here is that you [must use Launch Templates to configure IMDSv2 with Autoscaling Groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html). In order to configure the LaunchTemplate, you must use a custom AMI type according to the AWS API. This can be done by setting `AWSManagedMachinePool.spec.amiType` to `CUSTOM`. This change means that you must also specify a bootstrapping script to the worker node, which allows it to be joined to the EKS cluster. The default AWS Managed Node Group bootstrap script can be found [here on Github](https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh).
+
+The following example will use the default Amazon EKS Worker Node AMI which includes the default EKS Bootstrapping script. This must be installed on the management cluster as a Secret, under the key `value`. The secret's name must then be included in your `MachinePool` manifest at `MachinePool.spec.template.spec.bootstrap.dataSecretName`. Some assumptions are made for this example:
+
+- Your cluster name is `capi-imds`, which CAPA renames to `default_capi-imds-control-plane` automatically
+- Your cluster is Kubernetes Version `v1.25.9`
+- Your `AWSManagedCluster` is deployed in the `default` namespace along with the bootstrap secret `eks-bootstrap`
+
+```yaml
+kind: Secret
+apiVersion: v1
+type: Opaque
+data:
+  value: IyEvYmluL2Jhc2ggLXhlCi9ldGMvZWtzL2Jvb3RzdHJhcC5zaCBkZWZhdWx0X2NhcGktaW1kcy1jb250cm9sLXBsYW5l
+metadata:
+  name: eks-bootstrap
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
+kind: AWSManagedMachinePool
+metadata:
+  name: "capi-imds-pool-launchtemplate"
+spec:
+  amiType: CUSTOM
+  awsLaunchTemplate:
+    name: my-aws-launch-template
+    instanceType: t3.nano
+    metadataOptions:
+      httpTokens: required
+      httpPutResponseHopLimit: 2
+---
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: MachinePool
+metadata:
+  name: "capi-imds-pool-1"
+spec:
+  clusterName: "capi-imds"
+  replicas: 1
+  template:
+    spec:
+      version: v1.25.9
+      clusterName: "capi-imds"
+      bootstrap:
+        dataSecretName: "eks-bootstrap"
+      infrastructureRef:
+        name: "capi-imds-pool-launchtemplate"
+        apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
+        kind: AWSManagedMachinePool
+```
+
+`IyEvYmluL2Jhc2ggLXhlCi9ldGMvZWtzL2Jvb3RzdHJhcC5zaCBkZWZhdWx0X2NhcGktaW1kcy1jb250cm9sLXBsYW5l` in the above secret is a Base64 encoded version of the following script:
+
+```bash
+#!/bin/bash -xe
+/etc/eks/bootstrap.sh default_capi-imds-control-plane
+```
+
+If your cluster is not named `default_capi-imds-control-plane` in the AWS EKS console, you must update the name and store it as a Secret again.
+
 See [the CLI command reference](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-instance-metadata-options.html) for more information.
 
-Before you decide to use IMDSv2 for the cluster instances, please make sure all your applications are compatible to IMDSv2. 
+Before you decide to use IMDSv2 for the cluster instances, please make sure all your applications are compatible with IMDSv2.
 
 See the [transition guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html#recommended-path-for-requiring-imdsv2) for more information.

exp/api/v1beta1/conversion.go

@@ -44,6 +44,9 @@ func (src *AWSMachinePool) ConvertTo(dstRaw conversion.Hub) error {
 	if dst.Spec.RefreshPreferences != nil && restored.Spec.RefreshPreferences != nil {
 		dst.Spec.RefreshPreferences.Disable = restored.Spec.RefreshPreferences.Disable
 	}
+	if restored.Spec.AWSLaunchTemplate.InstanceMetadataOptions != nil {
+		dst.Spec.AWSLaunchTemplate.InstanceMetadataOptions = restored.Spec.AWSLaunchTemplate.InstanceMetadataOptions
+	}
 
 	return nil
 }
@@ -78,6 +81,18 @@ func (src *AWSManagedMachinePool) ConvertTo(dstRaw conversion.Hub) error {
 	if err := Convert_v1beta1_AWSManagedMachinePool_To_v1beta2_AWSManagedMachinePool(src, dst, nil); err != nil {
 		return err
 	}
+	// Manually restore data.
+	restored := &infrav1exp.AWSManagedMachinePool{}
+	if ok, err := utilconversion.UnmarshalData(src, restored); err != nil || !ok {
+		return err
+	}
+
+	if restored.Spec.AWSLaunchTemplate != nil {
+		if dst.Spec.AWSLaunchTemplate == nil {
+			dst.Spec.AWSLaunchTemplate = restored.Spec.AWSLaunchTemplate
+		}
+		dst.Spec.AWSLaunchTemplate.InstanceMetadataOptions = restored.Spec.AWSLaunchTemplate.InstanceMetadataOptions
+	}
 
 	return nil
 }
@@ -90,7 +105,7 @@ func (r *AWSManagedMachinePool) ConvertFrom(srcRaw conversion.Hub) error {
 		return err
 	}
 
-	return nil
+	return utilconversion.MarshalData(src, r)
 }
 
 // Convert_v1beta2_AWSManagedMachinePoolSpec_To_v1beta1_AWSManagedMachinePoolSpec is a conversion function.

exp/api/v1beta1/zz_generated.conversion.go

@@ -122,6 +122,10 @@ type AWSLaunchTemplate struct {
 
 	// SpotMarketOptions are options for configuring AWSMachinePool instances to be run using AWS Spot instances.
 	SpotMarketOptions *infrav1.SpotMarketOptions `json:"spotMarketOptions,omitempty"`
+
+	// InstanceMetadataOptions defines the behavior for applying metadata to instances.
+	// +optional
+	InstanceMetadataOptions *infrav1.InstanceMetadataOptions `json:"instanceMetadataOptions,omitempty"`
 }
 
 // Overrides are used to override the instance type specified by the launch template with multiple
@@ -217,10 +221,8 @@ type AutoScalingGroup struct {
 // ASGStatus is a status string returned by the autoscaling API.
 type ASGStatus string
 
-var (
-	// ASGStatusDeleteInProgress is the string representing an ASG that is currently deleting.
-	ASGStatusDeleteInProgress = ASGStatus("Delete in progress")
-)
+// ASGStatusDeleteInProgress is the string representing an ASG that is currently deleting.
+var ASGStatusDeleteInProgress = ASGStatus("Delete in progress")
 
 // TaintEffect is the effect for a Kubernetes taint.
 type TaintEffect string

exp/api/v1beta2/types.go

@@ -456,6 +456,20 @@ func (s *Service) createLaunchTemplateData(scope scope.LaunchTemplateScope, imag
 		UserData:     pointer.String(base64.StdEncoding.EncodeToString(userData)),
 	}
 
+	if lt.InstanceMetadataOptions != nil {
+		data.MetadataOptions = &ec2.LaunchTemplateInstanceMetadataOptionsRequest{
+			HttpEndpoint:         aws.String(string(lt.InstanceMetadataOptions.HTTPEndpoint)),
+			InstanceMetadataTags: aws.String(string(lt.InstanceMetadataOptions.InstanceMetadataTags)),
+		}
+
+		if lt.InstanceMetadataOptions.HTTPTokens != "" {
+			data.MetadataOptions.HttpTokens = aws.String(string(lt.InstanceMetadataOptions.HTTPTokens))
+		}
+		if lt.InstanceMetadataOptions.HTTPPutResponseHopLimit != 0 {
+			data.MetadataOptions.HttpPutResponseHopLimit = aws.Int64(lt.InstanceMetadataOptions.HTTPPutResponseHopLimit)
+		}
+	}
+
 	if len(lt.IamInstanceProfile) > 0 {
 		data.IamInstanceProfile = &ec2.LaunchTemplateIamInstanceProfileSpecificationRequest{
 			Name: aws.String(lt.IamInstanceProfile),
@@ -638,6 +652,21 @@ func (s *Service) SDKToLaunchTemplate(d *ec2.LaunchTemplateVersion) (*expinfrav1
 		VersionNumber: d.VersionNumber,
 	}
 
+	if v.MetadataOptions != nil {
+		i.InstanceMetadataOptions = &infrav1.InstanceMetadataOptions{
+			HTTPPutResponseHopLimit: aws.Int64Value(v.MetadataOptions.HttpPutResponseHopLimit),
+			HTTPTokens:              infrav1.HTTPTokensState(aws.StringValue(v.MetadataOptions.HttpTokens)),
+			HTTPEndpoint:            infrav1.InstanceMetadataEndpointStateEnabled,
+			InstanceMetadataTags:    infrav1.InstanceMetadataEndpointStateDisabled,
+		}
+		if v.MetadataOptions.HttpEndpoint != nil && aws.StringValue(v.MetadataOptions.HttpEndpoint) == "disabled" {
+			i.InstanceMetadataOptions.HTTPEndpoint = infrav1.InstanceMetadataEndpointStateDisabled
+		}
+		if v.MetadataOptions.InstanceMetadataTags != nil && aws.StringValue(v.MetadataOptions.InstanceMetadataTags) == "enabled" {
+			i.InstanceMetadataOptions.InstanceMetadataTags = infrav1.InstanceMetadataEndpointStateEnabled
+		}
+	}
+
 	if v.IamInstanceProfile != nil {
 		i.IamInstanceProfile = aws.StringValue(v.IamInstanceProfile.Name)
 	}
@@ -680,6 +709,9 @@ func (s *Service) LaunchTemplateNeedsUpdate(scope scope.LaunchTemplateScope, inc
 	if incoming.InstanceType != existing.InstanceType {
 		return true, nil
 	}
+	if !cmp.Equal(incoming.InstanceMetadataOptions, existing.InstanceMetadataOptions) {
+		return true, nil
+	}
 
 	incomingIDs, err := s.GetAdditionalSecurityGroupsIDs(incoming.AdditionalSecurityGroups)
 	if err != nil {