Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add metadata-options to AWS node driver templates #25078

Closed
Oats87 opened this issue Jan 23, 2020 · 3 comments
Closed

Add metadata-options to AWS node driver templates #25078

Oats87 opened this issue Jan 23, 2020 · 3 comments
Assignees
@aiyengar2 @sowmyav27
Labels
area/aws area/machine Issues that deal with rancher-machine kind/enhancement Issues that improve or augment existing functionality
Milestone
v2.4.6

Comments

@Oats87
Copy link
Contributor

Oats87 commented Jan 23, 2020

What kind of request is this (question/bug/enhancement/feature request): Enhancement

Steps to reproduce (least amount of steps as possible): In order to enable IMDSv2 on AWS instances, you must start them using an option like

aws ec2 run-instances \
    --image-id ami-<BLAH> \
    --instance-type c3.large \
    --key-name MyKeyPair \
    --metadata-options "HttpEndpoint=enabled,HttpTokens=required"

specifically the --metadata-options. We should be able to set a value for --metadata-options when provisioning instances using the Rancher Machine AWS EC2 driver.

Result: N/A

The current version of Rancher at the time of filing this request is v2.3.4
@Oats87 Oats87 added kind/enhancement Issues that improve or augment existing functionality area/machine Issues that deal with rancher-machine area/aws labels Jan 23, 2020
@askldjd
Copy link

askldjd commented May 9, 2020

So to work around this limitation, I wrote a cronjob to turn on IMDSv2 in the background as Rancher creates new EC2 nodes. Once the cronjob was implemented, we started seeing high percentage of kubelet failure.

It turns out that kubelet failed to talk to IMDSv2 to resolve AZ information on startup.

Digging a bit deeper, I found out that aws-sdk-go 1.25.38 added support for imdsv2. Based on the godep information, that means only K8s 1.18+ supports IMDSv2.

To workaround this, I would only turn on IMDSv2 after kubelet is up and the node joins the K8s cluster.

@deniseschannon deniseschannon added this to the v2.4.6 milestone Jul 30, 2020
@deniseschannon deniseschannon mentioned this issue Jul 30, 2020
Merged
This was referenced Jul 30, 2020
Merged
Merged
@aiyengar2
Copy link
Contributor

Should be able to add httpTokens: required|optional and httpEndpoint: enabled|disabled as flags on a node template now to specify those metadata options within 2.4 head and master head.

@aiyengar2 aiyengar2 mentioned this issue Jul 30, 2020
Closed
@sowmyav27
Copy link
Contributor

sowmyav27 commented Aug 5, 2020
edited
Loading

Verified on master-head commit id: 217656d19 and 2.4-head commit id: c761bcd4d

  • Set the following options in the node template - httpTokens: required|optional and httpEndpoint: enabled|disabled (as a standard user)
  • On the node - aws ec2 describe-instances --instance-ids <instance id>
"MetadataOptions": {
                        "State": "applied",
                        "HttpTokens": "required",
                        "HttpPutResponseHopLimit": 1,
                        "HttpEndpoint": "disabled"
                    }
  • Validated all possible combinations.

Upgrade from 2.4.5 to 2.4-head

  • Deploy an AWS rke cluster
  • Upgrade to 2.4-head
  • by default the values of httpTokens and httpEndpoint are Optional and Enabled on the existing node
  • edit the node template
  • change the disk size. Values for httpTokens is Optional and httpEndpoint is Enabled by default.
  • Add nodes to the cluster.
  • On the new nodes httpTokens is Optional and httpEndpoint is Enabled

@zube zube bot removed the [zube]: Done label Nov 4, 2020
@axeal axeal mentioned this issue Jun 1, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aiyengar2 aiyengar2

@sowmyav27 sowmyav27

Labels
area/aws area/machine Issues that deal with rancher-machine kind/enhancement Issues that improve or augment existing functionality
Projects
None yet
Milestone
v2.4.6
Development

No branches or pull requests
6 participants
@maggieliu @askldjd @deniseschannon @aiyengar2 @sowmyav27 @Oats87