1899220 – Support AWS IMDSv2

Bug 1899220 - Support AWS IMDSv2

Summary: Support AWS IMDSv2

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RHCOS
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Sohan Kunkerkar
QA Contact:	Michael Nguyen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1915617
TreeView+	depends on / blocked

Reported:	2020-11-18 18:18 UTC by Colin Walters
Modified:	2024-03-25 17:08 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Feature: Ignition supports fetching configs on AWS from version 2 of the Instance Metadata Service (IMDSv2). Reason: AWS EC2 instances can be created with IMDSv1 disabled, so that IMDSv2 is needed to read the Ignition config from instance userdata. Result: Ignition successfully reads its config from instance userdata regardless of whether IMDSv1 is enabled.
Clone Of:
Environment:
Last Closed:	2021-02-24 15:34:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	5585551	0	None	None	None	2020-11-19 04:55:01 UTC
Red Hat Product Errata	RHSA-2020:5633	0	None	None	None	2021-02-24 15:35:06 UTC

Description Colin Walters 2020-11-18 18:18:34 UTC

See https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

Basically today though, all attack vectors described there are blocked by the default OpenShift SDN network layer.  See:
https://github.com/openshift/origin/commit/9a9f30f5128593009ec9c50bb4c8e491fca55809

(The latest version of which currently lives here https://github.com/openshift/sdn/blob/bba15e2d344a6729d5aa7ac7d1ec14d2022219ab/cmd/sdn-cni-plugin/openshift-sdn_linux.go#L129 )

A regular web service pod that isn't running as hostNetwork would simply fail to access the EC2 metadata service.

Nevertheless, at some point we will enable OpenShift to run with IMDSv2.  There are multiple OpenShift components that will need changing (including the installer and likely machine API and others) but to start, I'm filing this against RHCOS because we need to fix this:

https://github.com/coreos/ignition/issues/1117

Comment 1 Micah Abbott 2020-11-18 19:51:39 UTC

Targeting 4.7 with low pri/sev.  A quick look at the docs for IMDSv2 doesn't mention any phase out of v1, so it should be reasonable to continue to use it for the foreseeable future.

Additionally, I wasn't able to find any OCP RFEs that specifically request this functionality, so it doesn't appear to be high priority for our customers.  Interestingly, I did find hits for IMDSv2 support in RHEL (cloud-init) which appears to have landed as part of 8.3

Comment 2 Sohan Kunkerkar 2020-12-04 17:42:32 UTC

Planning to work on this in the next sprint

Comment 3 Sohan Kunkerkar 2020-12-21 15:42:05 UTC

This is fixed in https://github.com/coreos/ignition/pull/1154

Comment 5 Michael Nguyen 2021-01-13 19:19:44 UTC

Verified on RHCOS 47.83.202101130443-0 which is a part of registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-01-13-124141.  This can be moved to verified once the boot image bump on the installer merges. (see https://github.com/openshift/installer/pull/4540)
  

$ sudo rpm-ostree status
State: idle
Deployments:
● ostree://2882c42eabc08be9f035310a0ab36c80e9877b12097bbefa8906e4faef59bdf6
                   Version: 47.83.202101130443-0 (2021-01-13T04:46:29Z)

Comment 6 Michael Nguyen 2021-01-22 13:42:36 UTC

Boot image was updated in registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-01-22-104107.  Closed as verified.

Comment 9 errata-xmlrpc 2021-02-24 15:34:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633

Note You need to log in before you can comment on or make changes to this bug.