Enable IMDS IPv6 endpoint #12290
Enable IMDS IPv6 endpoint #12290
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
/test pull-kops-e2e-ipv6-conformance /hold for comment on whether we should only enable this on ipv6 / dualstack clusters. I also havent done any extensive testing around this field and its behavior on ipv4 / dualstack / ipv6 instances |
k8s-ci-robot
added
the
do-not-merge/hold
|
Wonderful :) |
There was a problem hiding this comment.
/hold for comment on whether we should only enable this on ipv6 / dualstack clusters. I also havent done any extensive testing around this field and its behavior on ipv4 / dualstack / ipv6 instances
I think we should enable it for now only when t.IPv6AddressCount > 0.
Usually operators want to limit access to IMDS for security reasons.
| @@ -45,6 +45,7 @@ func (t *LaunchTemplate) RenderAWS(c *awsup.AWSAPITarget, a, e, changes *LaunchT | |||
| MetadataOptions: &ec2.LaunchTemplateInstanceMetadataOptionsRequest{ | |||
| HttpPutResponseHopLimit: t.HTTPPutResponseHopLimit, | |||
| HttpTokens: t.HTTPTokens, | |||
| HttpProtocolIpv6: aws.String(ec2.LaunchTemplateInstanceMetadataProtocolIpv6Enabled), | |||
There was a problem hiding this comment.
The state should also be read back in Find()
There was a problem hiding this comment.
I ended up adding it to the model so it can mimic IPv6AddressCount, so it is now in Find().
|
I agree that it makes sense to only do this only for ipv6. But I'd use the |
Let's say same way it's done for the IPv6 address count. |
|
/test pull-kops-e2e-ipv6-conformance |
k8s-ci-robot
removed
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
…290-origin-release-1.22 Automated cherry pick of #12290: Update aws-sdk-go
This is unconditionally enabled.There is an IPv4-equivlanet "HttpEndpoint" field that defaults to enabled and we dont expose a way to disable it.HttpProtocolIpv6 defaults to disabled, so to have it match the same behavior of HttpEndpoint we hardcode it to enabled.Since we dont allow the ipv4 endpoint to be disabled, I dont think we need to expose a new API field to allow this to be overridden either.~
I chose not to expose it through the model since any kops upgrade to include this functionality will always have other LaunchTemplate changes that will prompt a new LT version to be written which will include this change, so we dont need to find and detect any necessary LT updates for this field.This now enables the IPv6 endpoint whenever IPv6AddressCount is > 0