Add blackhole imds route for awsvpc network mode #968
Conversation
…ss to instance metdata for awsvpc tasks
aaithal
requested review from
nmeyerhans,
samuelkarp,
vsiddharth and
richardpen
aaithal
force-pushed
the
addBlackholeIMDSRoute
branch
from
1274e8f to
d6a614f
Compare
…AWSVPCBlockInstanceMetdata config is enabled
aaithal
force-pushed
the
addBlackholeIMDSRoute
branch
from
d6a614f to
820d1bd
Compare
|
@nmeyerhans I decided not to do a changelog entry as I think this should be covered under 0e782a5. Do you think this warrants an entry by itself? |
agent/app/agent_capability.go
Outdated
| @@ -124,6 +126,14 @@ func (agent *ecsAgent) capabilities() []*ecs.Attribute { | |||
| capabilities = append(capabilities, taskENIVersionAttribute) | |||
| } | |||
|
|
|||
| if agent.cfg.AWSVPCBlockInstanceMetdata { | |||
There was a problem hiding this comment.
You may want to move this above inside the check for TaskENIEnabled since this relies on the awsvpc network mode and cni plugins.
There was a problem hiding this comment.
I thought about and ended up not doing it as it's essentially a nop to do this if Task ENI is not enabled. I'll change it if you insist.
There was a problem hiding this comment.
Move this above makes the logic more clear to me, let's do it, thanks.
README.md
Outdated
| @@ -177,6 +177,7 @@ configure them as something other than the defaults. | |||
| | `ECS_INSTANCE_ATTRIBUTES` | `{"stack": "prod"}` | These attributes take effect only during initial registration. After the agent has joined an ECS cluster, use the PutAttributes API action to add additional attributes. For more information, see [Amazon ECS Container Agent Configuration](http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the Amazon ECS Developer Guide.| `{}` | `{}` | | |||
| | `ECS_ENABLE_TASK_ENI` | `false` | Whether to enable task networking for task to be launched with its own network interface | `false` | `false` | | |||
| | `ECS_CNI_PLUGINS_PATH` | `/ecs/cni` | The path where the cni binary file is located | `/amazon-ecs-cni-plugins` | `/amazon-ecs-cni-plugins` | | |||
| | `ECS_AWSVPC_BLOCK_IMDS` | `true` | Whether to block access to Instance Metdata for Tasks started with `awsvpc` network mode | `false` | `false`| | |||
There was a problem hiding this comment.
Do you we need to add a link to the instance metadata here, I'm not sure if all the customers know Instance Metadata?
There was a problem hiding this comment.
Sure, I can do that.
| @@ -380,3 +380,11 @@ func TestImageCleanupMinimumNumImagesToDeletePerCycle(t *testing.T) { | |||
| t.Errorf("Wrong value for NumImagesToDeletePerCycle: %v", cfg.NumImagesToDeletePerCycle) | |||
| } | |||
| } | |||
|
|
|||
| func TestAWSVPCBlockInstanceMetadata(t *testing.T) { | |||
There was a problem hiding this comment.
Isn't the name itself descriptive?
There was a problem hiding this comment.
Only if I know that this test was in the config package, it will have different meaning in engine package, where the test may be testing the process to block the metadata. Ignore my comments if we are supposed to have the context when reading the code.
…ty if 'task-eni' is not set
There was a problem hiding this comment.
LGTM. Though it'd make me really happy to see more detailed commit messages. https://chris.beams.io/posts/git-commit/ has some examples of good commit messages and explains why they matter.
|
@nmeyerhans that'd make me happy as well. I thought the changes here were small enough and didn't need additional context. Let me know if you had any particular commit(s) in mind and I can add some context. |
|
One thing that'd help the commit messages here is to ensure that the "subject" (first line of the message) is no longer than about 50 characters. When displaying a commit log, Github truncates at 70 characters, so there's a little room to be flexible here, but most of the commits in this PR don't even fit within the 70 character limit. Any context or details that don't fit within ~50 characters should be expanded upon in the "body" of the commit message. Note for others who might be reading: Do as I say, not as I do. I've certainly pushed some poor commit messages in the past. More recently, though, we've had internal conversations about improving our commit logs, and I'm trying to drive that effort forward... |
Summary
Add AWSVPCBlockInstanceMetdata config (
ECS_AWSVPC_BLOCK_IMDS) for blocking access to instance metdata for awsvpc tasksImplementation details
Testing
make release)go build -out amazon-ecs-agent.exe ./agent)make test) passgo test -timeout=25s ./agent/...) passmake run-integ-tests) pass.\scripts\run-integ-tests.ps1) passmake run-functional-tests) pass.\scripts\run-functional-tests.ps1) passNew tests cover the changes: Yes
Description for the changelog
None
Licensing
This contribution is under the terms of the Apache 2.0 License: Yes