Skip to content

Re-enable AWS IMDSv1 fallback#39363

Merged
reedloden merged 1 commit intomasterfrom
reed/reenable-imdsv1-fallback
Mar 14, 2024
Merged

Re-enable AWS IMDSv1 fallback#39363
reedloden merged 1 commit intomasterfrom
reed/reenable-imdsv1-fallback

Conversation

@reedloden
Copy link
Copy Markdown
Contributor

@reedloden reedloden commented Mar 14, 2024
edited
Loading

It was discovered that some customers' EKS clusters did not have their IMDSv2 hop limits set correctly (specifically, set to 1 instead of 2), causing requests for key functionality to attempt IMDSv1 fallback and failing.

For now, re-enable IMDSv1 fallback by way of removing the explicit disabling of EC2MetadataEnableFallback until better documentation, error handling, and other work can be done to inform customers that they need to correctly set their IMDSv2 hop limits.

This is a partial revert of #34170.

changelog: Re-enable AWS IMDSv1 fallback due to some EKS clusters having their IMDSv2 hop limit set to 1, leading to IMDSv2 requests failing. Users who wish to keep IMDSv1 fallback disabled can set the AWS_EC2_METADATA_V1_DISABLED environmental variable.

@reedloden reedloden self-assigned this Mar 14, 2024
@github-actions github-actions Bot added application-access audit-log Issues related to Teleports Audit Log size/sm labels Mar 14, 2024
@github-actions github-actions Bot requested a review from klizhentas March 14, 2024 17:31
@reedloden
Re-enable AWS IMDSv1 fallback
6e6c6d5 
It was discovered that some customers' EKS clusters did not have their IMDSv2 hop limits
set correctly, causing requests for key functionality to attempt IMDSv1 fallback and failing.

For now, re-enable IMDSv1 fallback by way of removing the explicit disabling of
`EC2MetadataEnableFallback` until better documentation, error handling, and other work
can be done to inform customers that they need to correctly set their IMDSv2 hop limits.
@reedloden reedloden force-pushed the reed/reenable-imdsv1-fallback branch from 1b80978 to 6e6c6d5 Compare March 14, 2024 17:39
espadolini
espadolini approved these changes Mar 14, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@espadolini espadolini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps in the changelog we could mention the possibility of setting the AWS_EC2_METADATA_V1_DISABLED envvar to still preclude the fallback to IMDSv1.

@reedloden
Copy link
Copy Markdown
Contributor Author

reedloden commented Mar 14, 2024

Perhaps in the changelog we could mention the possibility of setting the AWS_EC2_METADATA_V1_DISABLED envvar to still preclude the fallback to IMDSv1.

Thanks. Added!

@reedloden reedloden enabled auto-merge March 14, 2024 18:04
@reedloden reedloden added this pull request to the merge queue Mar 14, 2024
Merged via the queue into master with commit 23c67d4 Mar 14, 2024
@reedloden reedloden deleted the reed/reenable-imdsv1-fallback branch March 14, 2024 18:31
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Mar 14, 2024

@reedloden See the table below for backport results.

Branch Result
branch/v15 Create PR

@reedloden reedloden mentioned this pull request Mar 14, 2024
Merged
@greedy52 greedy52 mentioned this pull request Jun 7, 2024
Closed
@hugoShaka hugoShaka mentioned this pull request Jun 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@espadolini espadolini espadolini approved these changes

@hugoShaka hugoShaka hugoShaka approved these changes

Assignees

@reedloden reedloden

Labels

application-access audit-log Issues related to Teleports Audit Log size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reedloden @espadolini @hugoShaka