From cf19d59e49e97baaea1e55bce6a962b82f43c134 Mon Sep 17 00:00:00 2001 From: Kubermatic Bot <41968677+kubermatic-bot@users.noreply.github.com> Date: Thu, 1 Aug 2024 11:45:15 +0200 Subject: [PATCH] AWS: Increase IMDS hop limit for EC2 instances (#1836) Signed-off-by: Waleed Malik Co-authored-by: Waleed Malik --- pkg/cloudprovider/provider/aws/provider.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/cloudprovider/provider/aws/provider.go b/pkg/cloudprovider/provider/aws/provider.go index ba41038f8..831bdbef7 100644 --- a/pkg/cloudprovider/provider/aws/provider.go +++ b/pkg/cloudprovider/provider/aws/provider.go @@ -61,6 +61,11 @@ const ( // Interval and timeout for polling. pollInterval = 2 * time.Second pollTimeout = 5 * time.Minute + // The maximum number of hops that the metadata service can be forwarded to, defaults to 2. + // We need to set this to a higher value i.e. 3 to ensure that it is not blocked by extra hops that are introduced either by CNI or other networking components. With lower + // limits AWS metadata service is not reachable from the container network in such a scenario. + // For example: https://github.com/cilium/cilium/issues/25232 + awsMetadataHTTPPutResponseHopLimit = 3 ) var ( @@ -760,6 +765,9 @@ func (p *provider) Create(ctx context.Context, log *zap.SugaredLogger, machine * assignPublicIP := config.AssignPublicIP == nil || *config.AssignPublicIP instanceRequest := &ec2.RunInstancesInput{ + MetadataOptions: &ec2types.InstanceMetadataOptionsRequest{ + HttpPutResponseHopLimit: aws.Int32(awsMetadataHTTPPutResponseHopLimit), + }, ImageId: aws.String(amiID), InstanceMarketOptions: instanceMarketOptions, BlockDeviceMappings: []ec2types.BlockDeviceMapping{