[Feature] Make HttpPutResponseHopLimit configurable

[nikita-b]

What feature/behavior/change do you want?

We need to have HttpPutResponseHopLimit == 3

Why do you want this feature?

We use DIND in our Kubernetes cluster (it's cluster for Gitlab agents) and we can't disable IMDSv1 because hop from DIND container is 3

[github-actions]

Hello nikita-b 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

[TiberiuGC]

Hi @nikita-b , may I ask a couple questions for clarification:

• are you using self-managed or EKS-managed nodes? For EKS-managed nodes, as a workaround, you can use a custom launch template where you manually configure hop limit to 3.
• from what I see, eksctl sets hop limit by default to 2, regardless which IMDS version is being used (code snippet below). Do you want to have configurable hop limit just to be able to disable IMDSv1? If so, how does your cluster config look at the moment so that IMDSv1 works with hop limit 2?

eksctl/pkg/cfn/builder/nodegroup.go

Lines 534 to 547 in 76902cd

	func makeMetadataOptions(ng *api.NodeGroupBase) *gfnec2.LaunchTemplate_MetadataOptions {
	imdsv2TokensRequired := "optional"
	if api.IsEnabled(ng.DisableIMDSv1) || api.IsEnabled(ng.DisablePodIMDS) {
	imdsv2TokensRequired = "required"
	}
	hopLimit := 2
	if api.IsEnabled(ng.DisablePodIMDS) {
	hopLimit = 1
	}
	return &gfnec2.LaunchTemplate_MetadataOptions{
	HttpPutResponseHopLimit: gfnt.NewInteger(hopLimit),
	HttpTokens: gfnt.NewString(imdsv2TokensRequired),
	}
	}

[nikita-b]

Hello @TiberiuGC,

are you using self-managed or EKS-managed nodes? For EKS-managed nodes, as a workaround, you can use a custom launch template where you manually configure hop limit to 3.

We use self-managed nodes.

from what I see, eksctl sets hop limit by default to 2, regardless which IMDS version is being used (code snippet below). Do you want to have configurable hop limit just to be able to disable IMDSv1? If so, how does your cluster config look at the moment so that IMDSv1 works with hop limit 2?

Nope, I want to have access to AWS metadata from containers that with Docker-in-Docker. Because in this case we have hop == 3 (Container with application network interface -> Container with Docker network interface -> Host network interface).

[CrisNevares]

+1. I would like to be able to specify the hopLimit in my clusterConfig so I can avoid having to create launch templates prior to creating the cluster just so I can set the hop limit = 2.