Bug 1899220 - Support AWS IMDSv2
Summary: Support AWS IMDSv2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.6
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.7.0
Assignee: Sohan Kunkerkar
QA Contact: Michael Nguyen
URL:
Whiteboard:
Depends On:
Blocks: 1915617
TreeView+ depends on / blocked
 
Reported: 2020-11-18 18:18 UTC by Colin Walters
Modified: 2021-02-24 15:35 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Ignition supports fetching configs on AWS from version 2 of the Instance Metadata Service (IMDSv2). Reason: AWS EC2 instances can be created with IMDSv1 disabled, so that IMDSv2 is needed to read the Ignition config from instance userdata. Result: Ignition successfully reads its config from instance userdata regardless of whether IMDSv1 is enabled.
Clone Of:
Environment:
Last Closed: 2021-02-24 15:34:22 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5585551 0 None None None 2020-11-19 04:55:01 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:35:06 UTC

Description Colin Walters 2020-11-18 18:18:34 UTC
See https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

Basically today though, all attack vectors described there are blocked by the default OpenShift SDN network layer.  See:
https://github.com/openshift/origin/commit/9a9f30f5128593009ec9c50bb4c8e491fca55809

(The latest version of which currently lives here https://github.com/openshift/sdn/blob/bba15e2d344a6729d5aa7ac7d1ec14d2022219ab/cmd/sdn-cni-plugin/openshift-sdn_linux.go#L129 )

A regular web service pod that isn't running as hostNetwork would simply fail to access the EC2 metadata service.

Nevertheless, at some point we will enable OpenShift to run with IMDSv2.  There are multiple OpenShift components that will need changing (including the installer and likely machine API and others) but to start, I'm filing this against RHCOS because we need to fix this:

https://github.com/coreos/ignition/issues/1117

Comment 1 Micah Abbott 2020-11-18 19:51:39 UTC
Targeting 4.7 with low pri/sev.  A quick look at the docs for IMDSv2 doesn't mention any phase out of v1, so it should be reasonable to continue to use it for the foreseeable future.

Additionally, I wasn't able to find any OCP RFEs that specifically request this functionality, so it doesn't appear to be high priority for our customers.  Interestingly, I did find hits for IMDSv2 support in RHEL (cloud-init) which appears to have landed as part of 8.3

Comment 2 Sohan Kunkerkar 2020-12-04 17:42:32 UTC
Planning to work on this in the next sprint

Comment 3 Sohan Kunkerkar 2020-12-21 15:42:05 UTC
This is fixed in https://github.com/coreos/ignition/pull/1154

Comment 5 Michael Nguyen 2021-01-13 19:19:44 UTC
Verified on RHCOS 47.83.202101130443-0 which is a part of registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-01-13-124141.  This can be moved to verified once the boot image bump on the installer merges. (see https://github.com/openshift/installer/pull/4540)
  

$ sudo rpm-ostree status
State: idle
Deployments:
● ostree://2882c42eabc08be9f035310a0ab36c80e9877b12097bbefa8906e4faef59bdf6
                   Version: 47.83.202101130443-0 (2021-01-13T04:46:29Z)

Comment 6 Michael Nguyen 2021-01-22 13:42:36 UTC
Boot image was updated in registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-01-22-104107.  Closed as verified.

Comment 9 errata-xmlrpc 2021-02-24 15:34:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.