[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hardening access to metadata in OpenStack instances

On Tue, Sep 02, 2025 at 09:21:13AM +0100, kuLa wrote:
> > Under "normal" circumstances, anyone has access to a VM's metadata. It'd
> > be nice to restrict access to it for only the VM (ie: do not accept
> > forwarding) and only from root. This could be done this way:
> 
> From my experience not only root need access to metadata, there is potentially
> whole host of scripts and automation user side using it as well.

My feeling is that access to IMDS is a matter of policy that should be
left to the administrator responsible for the deployment.  As long as we
provide a decent mechanism to control this policy, which we do in the
form of cloud-init's "Disable EC2 Instance Metadata Service" module,
we're good. (I realize that this doesn't do exactly what was proposed;
if admins want finer grained control, they do still have other
mechanisms like runcmd or custom scripting.)

There is potentially a discussion to be had about the *default* policy
that we want to apply in our images.  I'd welcome that discussion, but
that'd be a forky change. Changing it at this point in the trixie
lifecycle would be too disruptive.

noah
Reply to: