On Tue, Sep 02, 2025 at 09:38:05AM -0400, Noah Meyerhans wrote: :So there is work being done to control IMDS access in commercial clouds. :What is the current best practice in the OpenStack community? Is there :a better interface than the iptables CLI for configuring policy-based :IMDS access? That seems like a better direction to take.
I'm not deeply into that subproject so there maybe work I'm unaware of, but I'm not aware of any work in this direction. A cursory look at current admin[1] and user[2] docs don't indicate any current availiblity of similar features, nor is there anything the specs for the next release[3][4] that look relevant. Though clearly that is the righter way. -Jon 1. https://docs.openstack.org/nova/2025.1/admin/metadata-service.html 2. https://docs.openstack.org/nova/2025.1/user/metadata.html 3. https://specs.openstack.org/openstack/nova-specs/specs/2025.2/index.htm 4. https://specs.openstack.org/openstack/neutron-specs/specs/2025.2/index.html :noah : :1. https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/ :2. https://github.com/Azure/GuestProxyAgent : -- Jonathan Proulx (he/him) Sr. Technical Architect The Infrastructure Group MIT CSAIL
