feat: support IMDSv2 ( use aws-go-sdk-v2 )

[Insidexa]

What this PR does / why we need it:

1. Support EKS 1.22
2. Using IMDSv2 from server definition, before this server healthcheck made metadata request without token and healthcheck go to fail state. After healthcheck is failed any pods can't AssumeRole as I correct understood
3. Upgraded aws-go-sdk to v2 that send token automatically

Which issue this PR fixes

(optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged)

• fixes eks 1.22 #339
• fixes Support IMDSv2  #325

Special notes:

• Use aws-go-sdk-v2
• The aws-go-sdk-v2 requires a minimum version of Go 1.15
• Support EKS 1.22

Checklist chart

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

• Chart Version bumped
• Variables are documented in the README.md

[sp-manuel-jurado]

Is anyone interested in merging this?? probably amazon will stop supporting the metadata api v1 sooner than we think...

[SCLogo]

@Insidexa will you solve conflicts?

[Insidexa]

@SCLogo yes, ~1w estimated time

[Insidexa]

guys, I don't know, do we need to update IAM tests with regions ? because regions load from the AWS API

[jtblin]

thanks @Insidexa I fixed the unit tests for regions. The PR is now merged, gonna let it soak on master for a bit before releasing as 'latest. I created a dev release as jtblin/kube2iam-amd64:dev, could people try it and verify everything works fine pls?

[atze234]

Hi @jtblin ,
i wanted to test it, but it seems this dev image is arm64 only, just like the 0.11.2 release.

[jtblin]

@atze234 that should be fixed with jtblin/kube2iam:dev now which supports arm64 and amd64.

[atze234]

Hi @jtblin,
sorry for the delay. I've tested with 0.11.2 and :dev. Both versions are working with imdsv2 for me.
Thank you

[jsebastianmal]

hi @atze234 , currently im try to install kube2iam 0.11.2 or latest in mi eks cluster , but I get several errors, could you tell me if my deployment is okay, I use it as a daemonset

Daemonset:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube2iam
  namespace: kube-system
---
apiVersion: v1
items:
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: kube2iam
    rules:
      - apiGroups: [""]
        resources: ["namespaces","pods"]
        verbs: ["get","watch","list"]
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: kube2iam
    subjects:
    - kind: ServiceAccount
      name: kube2iam
      namespace: kube-system
    roleRef:
      kind: ClusterRole
      name: kube2iam
      apiGroup: rbac.authorization.k8s.io
kind: List
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube2iam
  namespace: kube-system
  labels:
    app: kube2iam
spec:
  selector:
    matchLabels:
      name: kube2iam
  template:
    metadata:
      labels:
        name: kube2iam
    spec:
      serviceAccountName: kube2iam
      hostNetwork: true
      containers:
        - image: jtblin/kube2iam:0.11.2
          imagePullPolicy: Always
          name: kube2iam
          args:
            - "--app-port=8181"
            - "--base-role-arn=arn:aws:iam::XXXXXXXX:role/kube2iamdemo"
            - "--iptables=true"
            - "--host-ip=$(HOST_IP)"
            - "--host-interface=eni+"
            - "--verbose"
          env:
            - name: HOST_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
          ports:
            - containerPort: 8181
              hostPort: 8181
              name: http
          securityContext:
            privileged: true

and this is mi role kube2iamdemo in AWS:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-node-role"
},
"Action": "sts:AssumeRole"
}
]
}

any help or suggestion?

[atze234]

Hi @jsebastianmal ,
and what errors did you get there?

[jsebastianmal]

Hi @atze234 , this is my errors in my kube2iam

kubectl logs kube2iam-kdmlw | grep Error
time="2024-01-03T16:07:32Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.remote=10.160.7.103
time="2024-01-03T16:08:04Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.remote=10.160.7.13
time="2024-01-03T16:08:39Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.remote=10.160.7.103
time="2024-01-03T16:09:10Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.remote=10.160.7.13
time="2024-01-03T16:10:00Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.remote=10.160.7.103
time="2024-01-03T16:10:39Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.remote=10.160.7.13

this is an example to my IAM ROLE

alfa-dev-eks-alfa-digital-dev-integrations

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::XXXXXXXXX:role/alfa-dev-eks-node-role",
                    "arn:aws:iam::XXXXXXXXX:role/alfa-dev-eks-external-secrets-role"
                ]
            },
            "Action": "sts:AssumeRole"
        }
}
 ]
}

My app already set AWS Region

src/main/resources/application.yml

aws:
  region: us-east-2
  sqs:

and this is mi app logs:

11:16:10.670 [main] ERROR c.a.s.j.AmazonSQSMessagingClientWrapper -
        AmazonClientException: getQueueUrl.
com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.profile.ProfileCredentialsProvider@43d65a81: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@5aa781f2: Internal Server Error (Service: null; Status Code: 500; Error Code: null; Request ID: null; Proxy: null)]

[jsebastianmal]

Hi @atze234 , i found a bad config in my iam role , when i adjust this with the correctly policy in our Iam Node Group, kube2iam with IMDSV2 and my apps works fine.

Thanks for your support. ;)