Update Agent to be more resilient in case of unauthenticated timeouts with IMDS #3795
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hozkaya2000
changed the title
hozkaya2000
changed the title
Realmonia
requested changes
Jul 12, 2023
hozkaya2000
force-pushed
the
branch_pull_behavior
branch
from
7c87f5b
to
803924c
Compare
hozkaya2000
force-pushed
the
branch_pull_behavior
branch
from
803924c
to
2923fe3
Compare
mythri-garaga
approved these changes
Jul 12, 2023
Realmonia
approved these changes
Jul 12, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
There is an edge case where the credentials within the agent used to access internal resources can be incorrect due to other processes restarting during a certain time interval. This can cause the agent to think that the credentials are not expired and correct. The change is to prevent this from happening, and refreshing the credentials in the first location this issue would appear, which would be
RegisterContainerInstancein the ecsclient.Implementation details
The issue occurs in the
RegisterContainerInstancefunction in ecsclient'sclient.go.RegisterContainerInstancemakes the call to IMDS inSetInstanceIdentityfunction where the client for communicating with IMDS is used with the callclient.ec2metadata.GetDynamicData(...). The new IMDS process does not work with the current credentials.In the fix, this line is replaced with a retry strategy. When we get an error code, the current credentials in agent are forced before the retry to be expired, and a
GetCredentialscall is made to refresh the credentials, with multiple retries if it fails again. The global instance credentials in the agent are refreshed with this call, so other calls made by agent to IMDS are no longer an issue.Testing
To test, a new case was added to the
RegisterContainerInstanceTestthat is the exact same as the basic success case, but the first call toclient.ec2metadata.GetDynamicData(...)was simulated to fail, and the retry call to succeed. The rest of the test validations remained, making sure that retries didn't prevent any other process from happening.New tests cover the changes: yes
Description for the changelog
Files:
were changed as described in the implementation and testing details
Licensing
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.