Support IMDS v2 #381
Support IMDS v2 #381
Conversation
|
the tests are failing as you're using a http method (request.Clone) not found in go1.12, I've updated the go version, so if you rebase with master it should fix it |
This is required for support of the instance metadata API v2
(Regardless of whether the path is in the whitelist or not)
93edb1d to
fd7945b
Compare
|
Ah, sorry. Rebase done. |
|
Hey, I've been trying to look over this, the first two commits seem pretty self-explanatory. It's the third one that I keep getting stuck on, can you give some more detail about what you're trying to achieve here? Is it actually needed for this to work or is it an extra set of security you're adding? If it's the latter perhaps we should split this up. |
|
The reasoning behind the third commit went something like this: If I'm on an AWS instance (without Kubernetes or Kiam), I can now (successfully) get credentials out of the metadata API in two ways:
I'm pretty sure the first two commits here (whitelisting the token endpoint and removing the The third commit is my attempt to respect the session control aspect of IMDSv2 without needing to keep track of sessions within Kiam. Totally happy to remove it and deal with it later if you like. |
|
Right ok, I think I follow, so you're having kiam check the token before handing out a role to the requester as an additional security layer. |
|
Sure. I'll put it into another branch. |
fd7945b to
bb113f1
Compare
|
Done |
Joseph-Irving
left a comment
There was a problem hiding this comment.
ok, that's great thanks
lgtm!
fixes #359
*/api/tokenwithout consulting the API whitelist