ISSUE
Is there a way when deploying a cluster on AWS to deploy EC2 instances with Instance Metadata Service Version 2 (IMDSv2)? Does Qovery use IMDSv1? I don’t see an option to change this in advanced settings in the cluster. I also don’t want to break something by manually changing it if Qovery uses it for something.
-Colin
Hi,
Sorry but I’m not sure I get it. Metadata looks to be accessible by default (Use IMDSv2 - Amazon Elastic Compute Cloud).
So can you please be more precise about what you want to achieve and what you expect?
Thanks
When I deployed a cluster through Qovery, it was deployed using IMDSv1. I just wanted to make sure that changing it to IMDSv2 wouldn’t break anything and also if there was a setting to have Qovery deploy the cluster with IMDSv2.
Hi,
I think (to be checked with AWS), but it can be an issue. From their documentation, we can read:
No pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current AWS Region.
And we need access to metadata for some pods like AWS Node Termination Handler (looks to be supported Support IMDSv2 · Issue #22 · aws/aws-node-termination-handler · GitHub). How do you want to update this behavior? (to ensure your conf will not be overwritten)
Thanks
Sorry I was being imprecise as I’m not super familiar with Kubernetes. I need to disable IMDSv1 for the cluster. Can I do this through Qovery? If not, this Require IMDSv2 shows how to disable it:
aws ec2 modify-instance-metadata-options \ --instance-id i-1234567898abcdef0 \ --http-tokens required \ --http-endpoint enabled . Will doing it through AWS CLI allow it to be overwritten in the future?
Hi Colin,
The way you propose it will work until those EC2 will be replaced (for node maintenance, scale down, EKS nodegroup upgrade…). I just made a quick check to see if we could change /update it on EKS but did not find something yet.
I’m going to open a ticket and see what AWS propose for this.
I keep you up to date.
Pierre
Colin,
I think I’ve a solution, I have to perform tests. If it works, it will take around 2 weeks for implementation and validation (ensuring everything works fine as expected). Please let me know if it’s ok for you.
Thanks
That should work! Thank you!
Hi @colin ,
Small update: everything is ready on our side, and the test observability has started. If everything is going well, we’ll make it generally available next week.
Pierre
Hi @colin ,
You can now access IMDS configuration through Cluster advanced settings (Cluster Advanced Settings | Docs | Qovery).
Once configured, redeploy your cluster; new nodes will replace old ones with the settings you want 
Pierre
Thank you so much! I was able to update the cluster.
P.S. One small thing, it looks like the field may be case sensitive and the docs have it as “Required” and “Optional” instead of “required” and “optional”.
Thanks for the feedback updating it
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.