Posted On: Aug 24, 2020
Amazon EKS now supports containerized applications that require access to EC2 instance metadata using the IMDSv2 format.
IMDSv2 is an enhancement to instance metadata access that requires session-oriented requests to add defense in depth against unauthorized metadata access. IMDSv2 requires a PUT request to initiate a session to the instance metadata service and retrieve a token. By default, the response to PUT requests has a response hop limit (time to live) of 1 at the IP protocol level. However, this limit is incompatible with containerized applications on Kubernetes that run in a separate network namespace from the instance.
Now, newly launched and any updated EKS managed node groups will be configured with a metadata token response hop limit set to 2. For self-managed nodes, CloudFormation templates and eksctl have been updated to launch nodes by default with a hop limit of 2. This allows applications deployed onto EKS to begin using IMDSv2 for instance metadata requests. Customers with applications fully migrated to IMDSv2 can elect to disable IMDSv1 using managed node groups, eksctl, or CloudFormation.