Set IMDSv2 on by default for nodes and apiservers

[olemarkus]

This should mitigate security concerns around things like e.g enabling lifecycle hooks by default

[rifelpet]

I recall we initially defaulted this to enabled but reverted it in #10655. Can we address the issues that lead to the revert?

[olemarkus]

The revert was because it caused any pod that piggybacked on the instance's IAM role to fail. This should not happen on API server or worker nodes though. I hope it is rare that people add extra privileges to normal nodes and rather rely on KIAM (who should have their servers running on the control plane).

It also caused breakage on EBS CSI nodes because they rely on talking to the metadata service. This breakage was technically caused by me by removing hostnetworking: true from the DS manifest. We have added this back in now. Turns out it was exactly because of this they ran with hostNetworking.

I.e we should have addressed the issues now.

[rifelpet]

Typically changes like this we only enable for new clusters (and sometimes only for new clusters with k8s minor versions >= the kops minor version)

Any reason not to follow that same pattern here?

[olemarkus]

I want to play the security card here. But I am fine if we constrain this to a given k8s version too. But I think we really need this on by default on normal nodes. @johngmyers what do you think?

[hakman]

After thinking about this for some time, I think it it would be better to set this only when warm pool is involved.
For example, Flatcar will break completely when IMDSv2 is set and probably there are some other corner cases.
What do you think @olemarkus?

[olemarkus]

What makes flatcar break? Does it handle routing differently than other distros?

[johngmyers]

We should be having secure defaults, at least for new clusters.

[hakman]

Flatcar breaks because of the outdated AWS SDK: flatcar/ignition#19.
I agree that we should have secure defaults, but seems that this will require too many exceptions. Maybe it's not yet time for it to be a default.

[olemarkus]

Honestly, to me it looks like in this case we should use IMDSv2 by default and flatcar users should explicitly disable it. That this hasn't been fixed in flatcar sounds odd and I would prefer this not holding every other distro back from secure by default.

We can add an additinal callout here: https://kops.sigs.k8s.io/operations/images/#flatcar

[hakman]

Same story with Debian 9. It will most likely break many obscure workflows or setups where people were lazy to update.
Security minded people have the option to enable IMDSv2 quite easily. They can also debug any issues that might appear, much more than the others that won't know what hit them.

[rifelpet]

I agree that we should create secure clusters by default.

Does debian 10 work? I'm fine with documenting that using certain distros (particularly older ones) on new clusters will need to have an instancegroup field overridden. We would need to do something similar for userdata generation for bottlerocket and windows anyways, so it seems like a reasonable pattern to follow.

[johngmyers]

Corner cases don't detract from changing the default for new clusters to something more secure. They do detract from changing the default for existing clusters.

If there is an upcoming change, such as ServiceAccountIAM, which would significantly reduce the number of affected corner cases, that can argue to deferring the change of defaults.

[hakman]

Maybe best moved in main message.

[hakman]

Debian 10 does work. I can't say that I really agree that these are corner cases, but I agree that the vote is to go forward like this.
A problem that I see is that there is no easy way to keep automated tests working for Flatcar, as there is no flag to override this.
Also, as Peter was saying earlier, it would apply for older k8s versions, that we still support and for which the default image is Debian 9.

[johngmyers]

I could accept exempting new clusters that are on old k8s versions.

Do we need to resurrect #8531?

[rifelpet]

In office hours we decided that we can enable this for new k8s 1.22 clusters. This address the Debian 9 issue because it is already EOL, leaving flatcar compatibility unknown.

all node roles, token requred, hop limit 1

[olemarkus]

Implemented accordingly. Do we have any tests that uses k8s 1.22 yet?

[rifelpet]

We have a k8s-latest job but apparently its history is too large for testgrid and we need to reduce the retention on it. We also have an arm64 job that you could observe

[olemarkus]

Both of those cilium tests use latest. Should be good enough to see if this breaks anything.

[johngmyers]

Is this line necessary?

[olemarkus]

No. Removed.

[hakman]

I think this change will affect control plane nodes also.

[olemarkus]

Changed the wording to it is more clear.

[hakman]

The problem is not the wording but the intention.
As @rifelpet was saying above, conclusion from office hours was:

all node roles, token requred, hop limit 1

[olemarkus]

We cannot implement this on master roles though. Not until IRSA is used for all components and enabled by default.

[hakman]

Any special reason for using 3 as hop limit for Bastions?

[olemarkus]

No. Seems like a mistake.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [hakman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rifelpet]

I think this release note needs updating to match the final behavior in this PR. It does affect control plane nodes but with a hop limit of 3 (along with apiserver nodes)