Karpenter’s DryRun ec2:RunInstance calls do not include ec2:MetadataHttpTokens in the request context, causing issues with IMDSv2 enforcement

[1847-mohan]

Description

Observed Behavior:
We are using Karpenter in an AWS EKS cluster. The ec2:RunInstances DryRun call from Karpenter to AWS EC2-API is failing with an Unauthorized error due to our organization’s SCP policy, which requires the ec2:MetadataHttpTokens condition to be present in the request context. However, this condition is not included in the DryRun request made by Karpenter.

AWS SCP Policy:

  "Statement": [{
      "Sid": "IMDSxx",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:launch-template/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:MetadataHttpTokens": "required"
        }}}]

Expected Behavior:
API calls from Karpenter to the AWS EC2 API during DryRun authorization checks should include the ec2:MetadataHttpTokens condition in the request context, which is required for IMDSv2 enforcement. we have not disabledDryRun as we see advantages of keeping it enabled

Please add this in upcoming release.

Reproduction Steps (Please include YAML):
From AWS CloudTrail events, the RunInstances call triggered by Karpenter does not contain the ec2:MetadataHttpTokens condition and instead references the Launch Template in the request context. In contrast, the CreateLaunchTemplate call does include the ec2:MetadataHttpTokens condition as expected

Versions:

• Chart Version: 1.8.1
• Kubernetes Version (kubectl version): 1.33.6

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[1847-mohan]

Hi, We are looking for help with this. Any response please ?