Merge pull request #655 from aws-samples/fix/restrict-imds

fix: improvement for managed nodegroup and karpenter provisioner

Author: lmouhib

core/src/emr-eks-platform/emr-eks-cluster.ts

@@ -579,7 +579,7 @@ export class EmrEksCluster extends TrackedConstruct {
   public addEmrEksNodegroup(id: string, props: EmrEksNodegroupOptions) {
 
     if (this.isKarpenter) {
-      throw new Error(`You can\'t use this method when the autoscaler is set to ${Autoscaler.KARPENTER}`);
+      throw new Error(`You cannot use this method when the autoscaler is set to ${Autoscaler.KARPENTER}`);
     }
 
     // Get the subnet from Properties or one private subnet for each AZ

core/src/emr-eks-platform/resources/k8s/karpenter-provisioner-config/critical-provisioner.yml

@@ -73,6 +73,11 @@ spec:
     kubernetes.io/cluster/{{cluster-name}}: owned
   tags:
     KarpenerProvisionerName: "critical"
+  metadataOptions:
+    httpEndpoint: enabled
+    httpProtocolIPv6: disabled
+    httpPutResponseHopLimit: 2
+    httpTokens: required
   amiFamily: AL2
   userData: |
     MIME-Version: 1.0

core/src/emr-eks-platform/resources/k8s/karpenter-provisioner-config/notebook-driver-provisioner.yml

@@ -71,6 +71,11 @@ spec:
   amiFamily: AL2
   subnetSelector:
      aws-ids: {{subnet-id}}
+  metadataOptions:
+    httpEndpoint: enabled
+    httpProtocolIPv6: disabled
+    httpPutResponseHopLimit: 2
+    httpTokens: required
   securityGroupSelector:
     kubernetes.io/cluster/{{cluster-name}}: owned
   tags:

core/src/emr-eks-platform/resources/k8s/karpenter-provisioner-config/notebook-executor-provisioner.yml

@@ -74,6 +74,11 @@ spec:
   amiFamily: AL2
   subnetSelector:
     aws-ids: {{subnet-id}}
+  metadataOptions:
+    httpEndpoint: enabled
+    httpProtocolIPv6: disabled
+    httpPutResponseHopLimit: 2
+    httpTokens: required
   securityGroupSelector:
     kubernetes.io/cluster/{{cluster-name}}: owned
   tags:

core/src/emr-eks-platform/resources/k8s/karpenter-provisioner-config/shared-driver-provisioner.yml

@@ -66,6 +66,11 @@ spec:
   amiFamily: AL2
   subnetSelector:
      aws-ids: {{subnet-id}}
+  metadataOptions:
+    httpEndpoint: enabled
+    httpProtocolIPv6: disabled
+    httpPutResponseHopLimit: 2
+    httpTokens: required
   securityGroupSelector:
     kubernetes.io/cluster/{{cluster-name}}: owned
   tags:

core/src/emr-eks-platform/resources/k8s/karpenter-provisioner-config/shared-executor-provisioner.yml

@@ -71,6 +71,11 @@ spec:
   amiFamily: AL2
   subnetSelector:
     aws-ids: {{subnet-id}}
+  metadataOptions:
+    httpEndpoint: enabled
+    httpProtocolIPv6: disabled
+    httpPutResponseHopLimit: 2
+    httpTokens: required
   securityGroupSelector:
     kubernetes.io/cluster/{{cluster-name}}: owned
   tags:

core/src/emr-eks-platform/resources/k8s/karpenter-provisioner-config/tooling-provisioner.yml

@@ -61,6 +61,11 @@ spec:
   amiFamily: AL2
   subnetSelector:
     aws-ids: {{subnet-list}}
+  metadataOptions:
+    httpEndpoint: enabled
+    httpProtocolIPv6: disabled
+    httpPutResponseHopLimit: 2
+    httpTokens: required
   securityGroupSelector:
     kubernetes.io/cluster/{{cluster-name}}: owned
   tags:

core/src/singleton-launch-template.ts

@@ -15,8 +15,15 @@ export class SingletonCfnLaunchTemplate extends CfnLaunchTemplate {
     const id = `${name}`;
     return stack.node.tryFindChild(id) as CfnLaunchTemplate || new CfnLaunchTemplate(stack, id, {
       launchTemplateName: name,
+      
       launchTemplateData: {
         userData: data,
+        metadataOptions: {
+          httpEndpoint: 'enabled',
+          httpProtocolIpv6: 'disabled',
+          httpPutResponseHopLimit: 2,
+          httpTokens: 'required'
+        }
       },
     });
   }