Default IMDSv2 to "optional" for AWS

cmd/kops/create_cluster_integration_test.go

@@ -44,7 +44,11 @@ var MagicTimestamp = metav1.Time{Time: time.Date(2017, 1, 1, 0, 0, 0, 0, time.UT
 
 // TestCreateClusterMinimal runs kops create cluster minimal.example.com --zones us-test-1a
 func TestCreateClusterMinimal(t *testing.T) {
-	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/minimal", "v1alpha2")
+	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/minimal-1.16", "v1alpha2")
+	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/minimal-1.17", "v1alpha2")
+	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/minimal-1.18", "v1alpha2")
+	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/minimal-1.19", "v1alpha2")
+	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/minimal-1.20", "v1alpha2")
 }
 
 // TestCreateClusterOverride tests the override flag

docs/releases/1.20-NOTES.md

@@ -11,7 +11,7 @@
 * Default settings for AWS instances are updated to take advantage of recent performance and security features:
     * Default root volume encryption changes to enabled
     * Default root volume type changes from `gp2` to `gp3`
-    * Default instance metadata service (IMDS) v2 changes from `optional` to `required`
+    * Default instance metadata service (IMDS) v2 changes from `optional` to `required` for newly created clusters
 
 * Added [template funtions](https://kops.sigs.k8s.io/operations/cluster_template/#template-functions) for kubernetes version based on channel data.
 

pkg/model/awsmodel/autoscalinggroup.go

@@ -238,7 +238,7 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchConfigurationTask(c *fi.ModelB
 		SecurityGroups:                []*awstasks.SecurityGroup{sgLink},
 	}
 
-	t.HTTPTokens = fi.String(ec2.LaunchTemplateHttpTokensStateRequired)
+	t.HTTPTokens = fi.String(ec2.LaunchTemplateHttpTokensStateOptional)
 	if ig.Spec.InstanceMetadata != nil && ig.Spec.InstanceMetadata.HTTPTokens != nil {
 		t.HTTPTokens = ig.Spec.InstanceMetadata.HTTPTokens
 	}

tests/integration/create_cluster/complex/expected-v1alpha2.yaml

@@ -64,6 +64,8 @@ metadata:
   name: master-us-test-1a
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -84,6 +86,8 @@ metadata:
   name: nodes-us-test-1a
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: t2.medium
   maxSize: 1
   minSize: 1

tests/integration/create_cluster/ha/expected-v1alpha2.yaml

@@ -84,6 +84,8 @@ metadata:
   name: master-us-test-1a
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -104,6 +106,8 @@ metadata:
   name: master-us-test-1b
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -124,6 +128,8 @@ metadata:
   name: master-us-test-1c
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -144,6 +150,8 @@ metadata:
   name: nodes-us-test-1a
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: t2.medium
   maxSize: 1
   minSize: 1
@@ -164,6 +172,8 @@ metadata:
   name: nodes-us-test-1b
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: t2.medium
   maxSize: 1
   minSize: 1
@@ -184,6 +194,8 @@ metadata:
   name: nodes-us-test-1c
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: t2.medium
   maxSize: 1
   minSize: 1

tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml

@@ -84,6 +84,8 @@ metadata:
   name: master-us-test-1a
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -104,6 +106,8 @@ metadata:
   name: master-us-test-1b
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -124,6 +128,8 @@ metadata:
   name: master-us-test-1c
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -144,6 +150,8 @@ metadata:
   name: nodes-us-test-1a
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: t2.medium
   maxSize: 1
   minSize: 1
@@ -164,6 +172,8 @@ metadata:
   name: nodes-us-test-1b
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: t2.medium
   maxSize: 1
   minSize: 1
@@ -184,6 +194,8 @@ metadata:
   name: nodes-us-test-1c
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: t2.medium
   maxSize: 1
   minSize: 1

tests/integration/create_cluster/ha_shared_zone/expected-v1alpha2.yaml

@@ -76,6 +76,8 @@ metadata:
   name: master-us-test-1a-1
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -96,6 +98,8 @@ metadata:
   name: master-us-test-1a-2
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -116,6 +120,8 @@ metadata:
   name: master-us-test-1a-3
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -136,6 +142,8 @@ metadata:
   name: nodes-us-test-1a
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: t2.medium
   maxSize: 1
   minSize: 1

tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml

@@ -92,6 +92,8 @@ metadata:
   name: master-us-test-1a-1
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -112,6 +114,8 @@ metadata:
   name: master-us-test-1a-2
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -132,6 +136,8 @@ metadata:
   name: master-us-test-1a-3
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -152,6 +158,8 @@ metadata:
   name: master-us-test-1b-1
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -172,6 +180,8 @@ metadata:
   name: master-us-test-1b-2
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -192,6 +202,8 @@ metadata:
   name: nodes-us-test-1a
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: t2.medium
   maxSize: 1
   minSize: 1
@@ -212,6 +224,8 @@ metadata:
   name: nodes-us-test-1b
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: t2.medium
   maxSize: 1
   minSize: 1

tests/integration/create_cluster/ingwspecified/expected-v1alpha2.yaml

@@ -93,6 +93,8 @@ metadata:
   name: master-us-test-1a
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: m3.medium
   maxSize: 1
   minSize: 1
@@ -113,6 +115,8 @@ metadata:
   name: nodes-us-test-1a
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210119.1
+  instanceMetadata:
+    httpTokens: required
   machineType: t2.medium
   maxSize: 1
   minSize: 1

tests/integration/create_cluster/minimal-1.16/expected-v1alpha2.yaml

@@ -0,0 +1,94 @@
+apiVersion: kops.k8s.io/v1alpha2
+kind: Cluster
+metadata:
+  creationTimestamp: "2017-01-01T00:00:00Z"
+  name: minimal.example.com
+spec:
+  api:
+    dns: {}
+  authorization:
+    rbac: {}
+  channel: stable
+  cloudProvider: aws
+  configBase: memfs://tests/minimal.example.com
+  containerRuntime: containerd
+  etcdClusters:
+  - cpuRequest: 200m
+    etcdMembers:
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
+      name: a
+    memoryRequest: 100Mi
+    name: main
+  - cpuRequest: 100m
+    etcdMembers:
+    - encryptedVolume: true
+      instanceGroup: master-us-test-1a
+      name: a
+    memoryRequest: 100Mi
+    name: events
+  iam:
+    allowContainerRegistry: true
+    legacy: false
+  kubelet:
+    anonymousAuth: false
+  kubernetesApiAccess:
+  - 0.0.0.0/0
+  kubernetesVersion: v1.16.0
+  masterPublicName: api.minimal.example.com
+  networkCIDR: 172.20.0.0/16
+  networking:
+    cni: {}
+  nonMasqueradeCIDR: 100.64.0.0/10
+  sshAccess:
+  - 0.0.0.0/0
+  subnets:
+  - cidr: 172.20.32.0/19
+    name: us-test-1a
+    type: Public
+    zone: us-test-1a
+  topology:
+    dns:
+      type: Public
+    masters: public
+    nodes: public
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  creationTimestamp: "2017-01-01T00:00:00Z"
+  labels:
+    kops.k8s.io/cluster: minimal.example.com
+  name: master-us-test-1a
+spec:
+  image: kope.io/k8s-1.16-debian-stretch-amd64-hvm-ebs-2020-11-19
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  nodeLabels:
+    kops.k8s.io/instancegroup: master-us-test-1a
+  role: Master
+  subnets:
+  - us-test-1a
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  creationTimestamp: "2017-01-01T00:00:00Z"
+  labels:
+    kops.k8s.io/cluster: minimal.example.com
+  name: nodes-us-test-1a
+spec:
+  image: kope.io/k8s-1.16-debian-stretch-amd64-hvm-ebs-2020-11-19
+  machineType: t2.medium
+  maxSize: 1
+  minSize: 1
+  nodeLabels:
+    kops.k8s.io/instancegroup: nodes-us-test-1a
+  role: Node
+  subnets:
+  - us-test-1a

tests/integration/create_cluster/minimal-1.16/options.yaml

@@ -0,0 +1,6 @@
+ClusterName: minimal.example.com
+Zones:
+- us-test-1a
+CloudProvider: aws
+Networking: cni
+KubernetesVersion: v1.16.0