-
Notifications
You must be signed in to change notification settings - Fork 238
Allow trailing / on security-credentials endpoint #42
Allow trailing / on security-credentials endpoint #42
Conversation
cb2aa87
to
ad34412
Compare
This commit makes it possible to reach the http://169.254.169.254/meta-data/iam/security-credentials/ without the trailing slash. The Golang AWS SDK doesn't seem to call the endpoint with a trailing slash: https://github.com/aws/aws-sdk-go/blob/b2dc98bb584e48b0f5f39c93110633173c5da43c/aws/credentials/ec2rolecreds/ec2_role_provider_test.go#L37 I guess the implementation varies accross SDKs (the Java SDK, for instance, seems to make its call with a trailing slash). As a consequence, Kiam doesn't swallow requests made with this SDK and simply forwards the request to the original EC2 instance metadata service, which returns the instance's role name instead of the one set in the calling pod's annotation.
ad34412
to
591b67f
Compare
I'd like to see if someone can replicate this, we have a large number of apps using the golang aws sdk with kiam and we have not encountered this problem. That file you've linked to hasn't changed since 2016 so it seems unlikely that a new release has broken this. |
@Joseph-Irving I've seen similar stuff noted with kube2iam:
Be worth investigating why we don't see the same behaviour- maybe we've got people using older versions of the SDK? |
Given the kube2iam PRs/issues it's probably safe to just include the change so that the trailing slash is optional but agree with @Joseph-Irving it'd be worth checking why we haven't seen this behaviour yet on our clusters. |
Having re-read some of the identical kube2iam issues it seems that this kind of problem also depends on instance type- m5 vs m4 shows different behaviour when accessing |
Ooooh great catch @pingles :o I'm running on If I'm correct, according to what AWS announced, generation 5 instances use a "new type of virtualization" and, therefore, a new hypervisor with a new metadata API that behaves in a slightly different way on this endpoint, I guess :/ I ran a few tests out of curiosity:
while on an
With all that in mind, I don't think that having |
Thanks- I've merged this now. I'm not going to tag it until we've had a chance to run this on our clusters but you can use immediately with either of these tags:
Thanks! |
Great :) Thanks for the Docker images, I'll quietely wait for the next release though. Thanks again for developing |
This commit makes it possible to reach the
http://169.254.169.254/meta-data/iam/security-credentials/ without the
trailing slash.
The Golang AWS SDK doesn't seem to call the endpoint with a trailing
slash:
https://github.com/aws/aws-sdk-go/blob/b2dc98bb584e48b0f5f39c93110633173c5da43c/aws/credentials/ec2rolecreds/ec2_role_provider_test.go#L37
I guess the implementation varies accross SDKs (the Java SDK, for
instance, seems to make its call with a trailing slash).
As a consequence, Kiam doesn't swallow requests made with this SDK and
simply forwards the request to the original EC2 instance metadata
service, which returns the instance's role name instead of the one set
in the calling pod's annotation.