sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/userdata-privacy.md

sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/userdata-privacy.md (about)

     1  # Userdata Privacy
     2  
     3  Cluster API Provider AWS bootstraps EC2 instances to create and join Kubernetes clusters using instance user data.
     4  Because Kubernetes clusters are secured using TLS using multiple Certificate Authorities, these are generated by
     5  Cluster API and injected into the user data. It is important to note that without the configuring of host firewalls, processes can
     6  retrieve instance userdata from http://169.254.169.254/latest/api/token
     7  
     8  ## Requirements
     9  
    10  * An AMI that includes the AWS CLI
    11  * AMIs using CloudInit
    12  * A working `/bin/bash` shell
    13  * LFS directory layout (i.e. `/etc` exists and is readable by CloudInit)
    14  
    15  [Listed AMIs](./images/built-amis.md) on 1.16 and up should include the AWS CLI.
    16  
    17  ## How Cluster API secures TLS secrets
    18  
    19  Since v0.5.x, Cluster API Provider AWS has used [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)
    20  as a limited-time secret store, storing the userdata using KMS encryption at rest in AWS.
    21  The EC2 IMDS userdata will contain a boot script to download the encrypted userdata secret
    22  using instance profile permissions, then immediately delete it from AWS Secrets Manager, and then execute it.
    23  
    24  To avoid guessing keys in the AWS Secrets Manager key-value store and to prevent collisions, the key is an encoding the
    25  Kubernetes namespace, cluster name and instance name, with a random string appended, providing ~256-bits of entropy.
    26  
    27  Cluster API Provider AWS also stores the secret ARN in the AWSMachine spec, and will delete the secret if it isn't already deleted and
    28  the machine has registered successfully against the workload cluster API server as a node.
    29  Cluster API Provider AWS will also attempt deletion of the secret if the AWSMachine is otherwise deleted or the EC2 instance
    30  is terminated or failed.
    31  
    32  This method is only compatible with operating systems and distributions using
    33  [cloud-init](https://cloudinit.readthedocs.io/en/latest/topics/format.html#mime-multi-part-archive). If you are using a different bootstrap
    34  process, you will need to co-ordinate this externally and set the following in the specification of the AWSMachine types to disable the use
    35  of a cloud-init boothook:
    36  
    37  ``` yaml
    38  cloudInit:
    39    insecureSkipSecretsManager: true
    40  ```
    41  
    42  ## Troubleshooting
    43  
    44  ### Script errors
    45  
    46  cloud-init does not print boothook script errors to the systemd journal. Logs for the script, if it errored can be found in
    47  `/var/log/cloud-init-output.log`
    48  
    49  ### Warning messages
    50  
    51  Because cloud-init will attempt to read the final file at start, cloud-init will always print a `/etc/secret-userdata.txt cannot be found`
    52  message. This can be safely ignored.
    53  
    54  ### Secrets manager console
    55  
    56  The AWS secrets manager console should show secrets being created and deleted, with a lifetime of around a minute. No plaintext secret
    57  data will appear in the console as Cluster API Provider AWS stores the userdata as fragments of a gzipped data stream.