Re: Hardening access to metadata in OpenStack instances

[Jonathan Proulx <jon@csail.mit.edu>]

On Tue, Sep 02, 2025 at 08:18:37AM -0400, Noah Meyerhans wrote:

:My feeling is that access to IMDS is a matter of policy that should be
:left to the administrator responsible for the deployment.  As long as we
:provide a decent mechanism to control this policy, which we do in the
:form of cloud-init's "Disable EC2 Instance Metadata Service" module,
:we're good. (I realize that this doesn't do exactly what was proposed;
:if admins want finer grained control, they do still have other
:mechanisms like runcmd or custom scripting.)

As a long time OpenStack operator I agree this is something that
should be left to the deployer.

Restricting access to metadata would be a surprising default as other
Distribitions and cloud platforms (AWS ) don't so there's pretty wide
expectation that unpriveleged users can get this information.

Making it easy to toggle those rules to make restriction easier for
people who want it could be a useful feature.

-Jon

-- 
Jonathan Proulx (he/him)
Sr. Technical Architect
The Infrastructure Group
MIT CSAIL