Basically today though, all attack vectors described there are blocked by the default OpenShift SDN network layer. See:
(The latest version of which currently lives here https://github.com/openshift/sdn/blob/bba15e2d344a6729d5aa7ac7d1ec14d2022219ab/cmd/sdn-cni-plugin/openshift-sdn_linux.go#L129 )
A regular web service pod that isn't running as hostNetwork would simply fail to access the EC2 metadata service.
Nevertheless, at some point we will enable OpenShift to run with IMDSv2. There are multiple OpenShift components that will need changing (including the installer and likely machine API and others) but to start, I'm filing this against RHCOS because we need to fix this:
Targeting 4.7 with low pri/sev. A quick look at the docs for IMDSv2 doesn't mention any phase out of v1, so it should be reasonable to continue to use it for the foreseeable future.
Additionally, I wasn't able to find any OCP RFEs that specifically request this functionality, so it doesn't appear to be high priority for our customers. Interestingly, I did find hits for IMDSv2 support in RHEL (cloud-init) which appears to have landed as part of 8.3
Planning to work on this in the next sprint
This is fixed in https://github.com/coreos/ignition/pull/1154
Verified on RHCOS 47.83.202101130443-0 which is a part of registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-01-13-124141. This can be moved to verified once the boot image bump on the installer merges. (see https://github.com/openshift/installer/pull/4540)
$ sudo rpm-ostree status
Version: 47.83.202101130443-0 (2021-01-13T04:46:29Z)
Boot image was updated in registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-01-22-104107. Closed as verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.