Merge pull request #55 from SUSE-Enceladus/aws-metadata-option

Add verification section to cover metadata option for hoplimit
SUSE-Enceladus · Sep 20, 2024 · 3ef3ee6 · 3ef3ee6
2 parents 4a9cd23 + 6edddca
commit 3ef3ee6
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/content/rancher-prime/aws/contents.lr b/content/rancher-prime/aws/contents.lr
@@ -49,11 +49,23 @@ If there is no output, you will need to create an OIDC provider:
 eksctl utils associate-iam-oidc-provider --cluster $CLUSTER_NAME --region $REGION --approve
 ```
 
+### Verification
+
+Check the MetadataOptions of the EC2 instances which are part of the EKS cluster:
+```
+aws ec2 describe-instances --instance-id <instance id name>
+```
+If the MetadataOptions.HttpPutResponseHopLimit is 1, set it to 2 as follows so the pods are able to successfully access the EC2 instance metadata service. :
+```
+aws ec2 modify-instance-metadata-options --instance-id <instance id name> --http-put-response-hop-limit 2 --http-endpoint enabled
+```
+
 ### IAM Role
 
 To provide the necessary permissions, an IAM role and an attached policy are required. The role name is passed as an argument during the *helm* deployment.
 
-Create the role with a *role name* of your choosing (for example, `rancher-csp-iam-role`), and the required policy attached to it:
+Create the role with a *role name* of your choosing (for example, `rancher-csp-iam-role`), and the required policy attached to it.
+Define and export the variables CLUSTER_NAME, REGION, ROLE_NAME accordingly, then run the eksctl command:
 
 ```
 eksctl create iamserviceaccount \