Does OpenShift 4 support specific version of IMDS for AWS clusters?

Solution In Progress - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Red Hat OpenShift Service on AWS (ROSA)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4
  • Amazon EC2 Instance Metadata Service (IMDS)

Issue

  • Is it possible to specify the version of IMDS for the nodes in OCP, OSD or ROSA clusters?
  • Ignition does not boot when IMDSv2 is set to required on AWS.
  • Is IMDSv2 supported in OpenShift 4.

Resolution

Ignition supports fetching configs on AWS from Instance Metadata Service Version 2 (IMDSv2) starting with OpenShift 4.7 as per the bugzilla BZ 1899220.

Starting with OpenShift 4.11, it is now possible to use machine sets to create compute machines that use a specific version of IMDS as per Configuration options for the Amazon EC2 Instance Metadata Service and Machine set options for the Amazon EC2 Instance Metadata Service.

Important: as shown in the documentation, before configuring a machine set to create compute machines that require IMDSv2, ensure that any workloads that interact with the AWS metadata service support IMDSv2.

For ROSA (Red Hat OpenShift Services on AWS)

Both IMDSv1 and IMDSv2 are used by default. To require the version 2, it is needed to enable it at cluster installation with latest version of rosa CLI and aws CLI using the --ec2-metadata-http-tokens parameter.

There is currently a RFE to allow changing to IMDSv2 only as day-2 task: RFE-4551.

Root Cause

Starting with OpenShift 4.11, it is now possible to use machine sets to create compute machines that use a specific version of IMDS. IMDSv2 is required to reduce security exposure on AWS EC2.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments