-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable IMDS IPv6 endpoint #12290
Enable IMDS IPv6 endpoint #12290
Conversation
/test pull-kops-e2e-ipv6-conformance /hold for comment on whether we should only enable this on ipv6 / dualstack clusters. I also havent done any extensive testing around this field and its behavior on ipv4 / dualstack / ipv6 instances |
Wonderful :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/hold for comment on whether we should only enable this on ipv6 / dualstack clusters. I also havent done any extensive testing around this field and its behavior on ipv4 / dualstack / ipv6 instances
I think we should enable it for now only when t.IPv6AddressCount > 0
.
Usually operators want to limit access to IMDS for security reasons.
@@ -45,6 +45,7 @@ func (t *LaunchTemplate) RenderAWS(c *awsup.AWSAPITarget, a, e, changes *LaunchT | |||
MetadataOptions: &ec2.LaunchTemplateInstanceMetadataOptionsRequest{ | |||
HttpPutResponseHopLimit: t.HTTPPutResponseHopLimit, | |||
HttpTokens: t.HTTPTokens, | |||
HttpProtocolIpv6: aws.String(ec2.LaunchTemplateInstanceMetadataProtocolIpv6Enabled), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The state should also be read back in Find()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ended up adding it to the model so it can mimic IPv6AddressCount, so it is now in Find().
I agree that it makes sense to only do this only for ipv6. But I'd use the |
Let's say same way it's done for the IPv6 address count. |
/test pull-kops-e2e-ipv6-conformance |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…290-origin-release-1.22 Automated cherry pick of #12290: Update aws-sdk-go
This is unconditionally enabled.There is an IPv4-equivlanet "HttpEndpoint" field that defaults to enabled and we dont expose a way to disable it.HttpProtocolIpv6 defaults to disabled, so to have it match the same behavior of HttpEndpoint we hardcode it to enabled.Since we dont allow the ipv4 endpoint to be disabled, I dont think we need to expose a new API field to allow this to be overridden either.~
I chose not to expose it through the model since any kops upgrade to include this functionality will always have other LaunchTemplate changes that will prompt a new LT version to be written which will include this change, so we dont need to find and detect any necessary LT updates for this field.This now enables the IPv6 endpoint whenever IPv6AddressCount is > 0