Bug 1899220

Summary: Support AWS IMDSv2
Product: OpenShift Container Platform Reporter: Colin Walters <walters>
Component: RHCOSAssignee: Sohan Kunkerkar <skunkerk>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: low Docs Contact:
Priority: low    
Version: 4.6CC: aygarg, bbreard, bgilbert, imcleod, jligon, miabbott, nstielau
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Ignition supports fetching configs on AWS from version 2 of the Instance Metadata Service (IMDSv2). Reason: AWS EC2 instances can be created with IMDSv1 disabled, so that IMDSv2 is needed to read the Ignition config from instance userdata. Result: Ignition successfully reads its config from instance userdata regardless of whether IMDSv1 is enabled.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:34:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1915617    

Description Colin Walters 2020-11-18 18:18:34 UTC 
See https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

Basically today though, all attack vectors described there are blocked by the default OpenShift SDN network layer.  See:
https://github.com/openshift/origin/commit/9a9f30f5128593009ec9c50bb4c8e491fca55809

(The latest version of which currently lives here https://github.com/openshift/sdn/blob/bba15e2d344a6729d5aa7ac7d1ec14d2022219ab/cmd/sdn-cni-plugin/openshift-sdn_linux.go#L129 )

A regular web service pod that isn't running as hostNetwork would simply fail to access the EC2 metadata service.

Nevertheless, at some point we will enable OpenShift to run with IMDSv2.  There are multiple OpenShift components that will need changing (including the installer and likely machine API and others) but to start, I'm filing this against RHCOS because we need to fix this:

https://github.com/coreos/ignition/issues/1117
Comment 1 Micah Abbott 2020-11-18 19:51:39 UTC 
Targeting 4.7 with low pri/sev.  A quick look at the docs for IMDSv2 doesn't mention any phase out of v1, so it should be reasonable to continue to use it for the foreseeable future.

Additionally, I wasn't able to find any OCP RFEs that specifically request this functionality, so it doesn't appear to be high priority for our customers.  Interestingly, I did find hits for IMDSv2 support in RHEL (cloud-init) which appears to have landed as part of 8.3
Comment 2 Sohan Kunkerkar 2020-12-04 17:42:32 UTC 
Planning to work on this in the next sprint
Comment 3 Sohan Kunkerkar 2020-12-21 15:42:05 UTC 
This is fixed in https://github.com/coreos/ignition/pull/1154
Comment 5 Michael Nguyen 2021-01-13 19:19:44 UTC 
Verified on RHCOS 47.83.202101130443-0 which is a part of registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-01-13-124141.  This can be moved to verified once the boot image bump on the installer merges. (see https://github.com/openshift/installer/pull/4540)
  

$ sudo rpm-ostree status
State: idle
Deployments:
● ostree://2882c42eabc08be9f035310a0ab36c80e9877b12097bbefa8906e4faef59bdf6
                   Version: 47.83.202101130443-0 (2021-01-13T04:46:29Z)
Comment 6 Michael Nguyen 2021-01-22 13:42:36 UTC 
Boot image was updated in registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-01-22-104107.  Closed as verified.
Comment 9 errata-xmlrpc 2021-02-24 15:34:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633