Skip to content

Set http_put_response_hop_limit = 1 by default #3333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
niooss-ledger opened this issue Mar 31, 2025 · 4 comments
Open

Set http_put_response_hop_limit = 1 by default #3333

niooss-ledger opened this issue Mar 31, 2025 · 4 comments
Labels
breaking change

Comments

@niooss-ledger
Copy link

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

  • Yes ✅: changing IMDS options has been available for a long time.

Is your request related to a problem? Please describe.

AWS EKS Best Practices Guide recommends setting http_put_response_hop_limit = 1 (in section "Identities and Credentials for EKS pods Recommendations", subsection "Restrict access to the instance profile assigned to the worker node"):

You can block access to instance metadata by requiring the instance to use IMDSv2 only and updating the hop count to 1 as in the example below. [...]

If you are using Terraform to create launch templates for use with Managed Node Groups, add the metadata block to configure the hop count as seen in this code snippet:

resource "aws_launch_template" "foo" {
    name = "foo"
    …​
    metadata_options {
        http_endpoint = "enabled"
        http_tokens = "required"
        http_put_response_hop_limit = 1
        instance_metadata_tags = "enabled"
    }
    …​

The EKS Terraform module would be easier to use in a secure way if http_put_response_hop_limit was set to 1 by default.

Describe the solution you'd like.

When creating a EKS Cluster with Terraform with few options, I would like its metadata_options.http_put_response_hop_limit to be set to 1 instead of 2.

Describe alternatives you've considered.

Defining metadata_options.http_put_response_hop_limit = 1 in all Terraform projects works, but it is quite cumbersome.

Additional context

I am not aware of a legitimate use-case of using http_put_response_hop_limit = 2 in EKS nodes in 2025. AWS documents a warning:

Blocking access to instance metadata will prevent pods that do not use IRSA or EKS Pod Identities from inheriting the role assigned to the worker node.

Using the role assigned to the worker node in a pod is actually very dangerous because this role has special rights in the Kubernetes cluster (it can be used for example to read the Kubernetes Secrets used by pods running on the same node).

To make a pod able to use AWS resources without using the role assigned to the worker node, several robust ways exist: IRSA, EKS Pod Identities or even putting long-term AWS credentials in some Kubernetes Secrets used by the pod (which is not considered as the state of the art in the matter of security).

I suggest modifying the default value in

terraform-aws-eks/modules/eks-managed-node-group/variables.tf

Line 272 in 0b9d27b

http_put_response_hop_limit = 2

terraform-aws-eks/modules/self-managed-node-group/variables.tf

Line 356 in 0b9d27b

http_put_response_hop_limit = 2

terraform-aws-eks/node_groups.tf

Line 5 in 0b9d27b

http_put_response_hop_limit = 2

@bryantbiggs
Copy link
Member

https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/de50bdd80b227fb2ed940b30e33c224065d8c035/docs/deploy/installation.md#using-the-amazon-ec2-instance-metadata-server-version-2-imdsv2

@niooss-ledger
Copy link
Author

https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/de50bdd80b227fb2ed940b30e33c224065d8c035/docs/deploy/installation.md#using-the-amazon-ec2-instance-metadata-server-version-2-imdsv2

Thanks for the reference. I have not been using AWS Load Balancer Controller (LBC) in my EKS clusters so I was not aware of this limitation. From what I understand, AWS LBC is using the IMDS to retrieve the AWS region and the VPC ID (in pkg/aws/cloud.go).

For some years, the LBC has been updated to be able to rely on other sources of information instead of the IMDS:

So it seems that when the LBC is configured with ISRA, the IMDS can be set with HttpPutResponseHopLimit = 1.

I also saw an issue raised 3 years ago about the documentation recommending the insecure IMDS configuration: kubernetes-sigs/aws-load-balancer-controller#2665 . Someone provided some context in kubernetes-sigs/aws-load-balancer-controller#2665 (comment) (in 2022):

Just to chime in, we're using AWS Security Hub and we can't set the hops to 2 without violating the AutoScaling.4 rule (which has a severity of High). A bit of a catch 22 that the solution suggested for kubernetes-sigs/aws-load-balancer-controller#2584 will then leave you with AWS Security Hub flashing red.

This issue was closed due to inactivity, so there is unfortunately no comment related to the more recent Pull Requests which removed the dependency on the IMDS.

While exploring AWS LBC's issue tracker, I stumbled upon kubernetes-sigs/aws-load-balancer-controller#3955 (comment)

The default EKS Node group now sets IMDBv2 to Required and Http-Put-Repsonse-Hop-Limit to 1 (if you don't specify a launch template)

Did you follow when AWS changed this default configuration for EKS Node groups?

@bryantbiggs
Copy link
Member

we can consider switching this default at the next breaking change, but we can't impose this on users at this time

@niooss-ledger
Copy link
Author

I understand. I am fine with this approach. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking change
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bryantbiggs @niooss-ledger