Set `http_put_response_hop_limit = 1` by default

[niooss-ledger]

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• Yes ✅: changing IMDS options has been available for a long time.

Is your request related to a problem? Please describe.

AWS EKS Best Practices Guide recommends setting http_put_response_hop_limit = 1 (in section "Identities and Credentials for EKS pods Recommendations", subsection "Restrict access to the instance profile assigned to the worker node"):

You can block access to instance metadata by requiring the instance to use IMDSv2 only and updating the hop count to 1 as in the example below. [...]

If you are using Terraform to create launch templates for use with Managed Node Groups, add the metadata block to configure the hop count as seen in this code snippet:

resource "aws_launch_template" "foo" {
    name = "foo"
    …​
    metadata_options {
        http_endpoint = "enabled"
        http_tokens = "required"
        http_put_response_hop_limit = 1
        instance_metadata_tags = "enabled"
    }
    …​

The EKS Terraform module would be easier to use in a secure way if http_put_response_hop_limit was set to 1 by default.

Describe the solution you'd like.

When creating a EKS Cluster with Terraform with few options, I would like its metadata_options.http_put_response_hop_limit to be set to 1 instead of 2.

Describe alternatives you've considered.

Defining metadata_options.http_put_response_hop_limit = 1 in all Terraform projects works, but it is quite cumbersome.

Additional context

I am not aware of a legitimate use-case of using http_put_response_hop_limit = 2 in EKS nodes in 2025. AWS documents a warning:

Blocking access to instance metadata will prevent pods that do not use IRSA or EKS Pod Identities from inheriting the role assigned to the worker node.

Using the role assigned to the worker node in a pod is actually very dangerous because this role has special rights in the Kubernetes cluster (it can be used for example to read the Kubernetes Secrets used by pods running on the same node).

To make a pod able to use AWS resources without using the role assigned to the worker node, several robust ways exist: IRSA, EKS Pod Identities or even putting long-term AWS credentials in some Kubernetes Secrets used by the pod (which is not considered as the state of the art in the matter of security).

I suggest modifying the default value in

terraform-aws-eks/modules/eks-managed-node-group/variables.tf

Line 272 in 0b9d27b

http_put_response_hop_limit = 2

terraform-aws-eks/modules/self-managed-node-group/variables.tf

Line 356 in 0b9d27b

http_put_response_hop_limit = 2

terraform-aws-eks/node_groups.tf

Line 5 in 0b9d27b

http_put_response_hop_limit = 2

[bryantbiggs]

https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/de50bdd80b227fb2ed940b30e33c224065d8c035/docs/deploy/installation.md#using-the-amazon-ec2-instance-metadata-server-version-2-imdsv2

[niooss-ledger]

https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/de50bdd80b227fb2ed940b30e33c224065d8c035/docs/deploy/installation.md#using-the-amazon-ec2-instance-metadata-server-version-2-imdsv2

Thanks for the reference. I have not been using AWS Load Balancer Controller (LBC) in my EKS clusters so I was not aware of this limitation. From what I understand, AWS LBC is using the IMDS to retrieve the AWS region and the VPC ID (in pkg/aws/cloud.go).

For some years, the LBC has been updated to be able to rely on other sources of information instead of the IMDS:

• The AWS region can be discovered through environment variables AWS_DEFAULT_REGION and AWS_REGION, the latter being set when IAM Roles for service account (ISRA) is configured.
• The VPC ID can be discovered though the EC2 instance name (since Retrieve VPC ID from EC2 instance the controller is running on if possible kubernetes-sigs/aws-load-balancer-controller#2824) or some tags (since Fetch VPC ID from runtime using VPC tags provided via controller flags kubernetes-sigs/aws-load-balancer-controller#3656)

So it seems that when the LBC is configured with ISRA, the IMDS can be set with HttpPutResponseHopLimit = 1.

I also saw an issue raised 3 years ago about the documentation recommending the insecure IMDS configuration: kubernetes-sigs/aws-load-balancer-controller#2665 . Someone provided some context in kubernetes-sigs/aws-load-balancer-controller#2665 (comment) (in 2022):

Just to chime in, we're using AWS Security Hub and we can't set the hops to 2 without violating the AutoScaling.4 rule (which has a severity of High). A bit of a catch 22 that the solution suggested for kubernetes-sigs/aws-load-balancer-controller#2584 will then leave you with AWS Security Hub flashing red.

This issue was closed due to inactivity, so there is unfortunately no comment related to the more recent Pull Requests which removed the dependency on the IMDS.

While exploring AWS LBC's issue tracker, I stumbled upon kubernetes-sigs/aws-load-balancer-controller#3955 (comment)

The default EKS Node group now sets IMDBv2 to Required and Http-Put-Repsonse-Hop-Limit to 1 (if you don't specify a launch template)

Did you follow when AWS changed this default configuration for EKS Node groups?

[bryantbiggs]

we can consider switching this default at the next breaking change, but we can't impose this on users at this time

[niooss-ledger]

I understand. I am fine with this approach. Thanks!

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[niooss-ledger]

This issue is not stale, but pending.