Which version of AWS Instance Metadata Service is used by OCP 3/4?

Resolution

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

• OCP 3 uses Instance Metadata Service Version 1 (IMDSv1) when calling for the AWS metadata. A quick test run on OCP cluster running on AWS shows IMDSv1 is still supported i.e. the IMDSv1 queries described here still succeed (notably without requiring a token).

• Both the versions are supported by default. Using Instance Metadata Service Version 2 (IMDSv2) in RHOCP 3 wouldn't make much difference from a security perspective. v2 is a slight improvement, but credentials are still accessible without authentication in both v1 and v2.

• Forcing OCP 3 components to use Instance Metadata Service Version 2 (IMDSv2) doesn't make difference if v1 queries are still supported.

• OpenShift 4 (4.7) now supports IMDSv2.

• The issue was reported to the engineering team in RHBZ#1899220.