Use IMDSv2 token when fetching node ip in entrypoint

This is required in hardened setups (as recommended by the AWS documentation) This has been tested on nodes with the following launch template options: MetadataOptions.HttpTokens required MetadataOptions.HttpPutResponseHopLimit 1 Without the change, the CNI driver did not become ready on the master branch.
aws · Nov 9, 2021 · 06e9ea4 · 06e9ea4
1 parent 6a15a84
commit 06e9ea4
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh
@@ -125,12 +125,14 @@ wait_for_ipam() {
 get_node_primary_v4_address() {
     while :
     do
-        NODE_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4)
+        token=$(curl -Ss -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
+        NODE_IP=$(curl -H "X-aws-ec2-metadata-token: $token" -Ss http://169.254.169.254/latest/meta-data/local-ipv4)
         if [[ "${NODE_IP}" != "" ]]; then
             return 0
         fi
         # We sleep for 1 second between each retry
         sleep 1
+        log_in_json info "Retrying fetching node-IP"
     done
 }