[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hardening access to metadata in OpenStack instances

On Tue, Sep 02, 2025 at 09:38:05AM -0400, Noah Meyerhans wrote:

:So there is work being done to control IMDS access in commercial clouds.
:What is the current best practice in the OpenStack community?  Is there
:a better interface than the iptables CLI for configuring policy-based
:IMDS access?  That seems like a better direction to take.

I'm not deeply into that subproject so there maybe work I'm unaware
of, but I'm not aware of any work in this direction.

A cursory look at current admin[1] and user[2] docs don't indicate any
current availiblity of similar features, nor is there anything the
specs for the next release[3][4] that look relevant. Though clearly that
is the righter way.

-Jon

1. https://docs.openstack.org/nova/2025.1/admin/metadata-service.html
2. https://docs.openstack.org/nova/2025.1/user/metadata.html
3. https://specs.openstack.org/openstack/nova-specs/specs/2025.2/index.htm
4. https://specs.openstack.org/openstack/neutron-specs/specs/2025.2/index.html

:noah
:
:1. https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/
:2. https://github.com/Azure/GuestProxyAgent
:

-- 
Jonathan Proulx (he/him)
Sr. Technical Architect
The Infrastructure Group
MIT CSAIL
Reply to: