I think this is best explained in the Official EKS Best Practices Guides > Security > Identity and Access Management (IAM) > Restrict access to the instance profile assigned to the worker node
Quoting from it
the pod can still inherit the rights of the instance profile assigned to the worker node
it is strongly recommended that you block access instance metadata to minimize the blast radius of a breach.
It doesn't matter if you are using IRSA (IAM Roles for Service Accounts) or not, it's good to block the access to the instance metadata from pods.
If a pod actually need IAM credentials then you should use IRSA (or other means get IAM credentials) that way you can be in line with least privilege principle.
To block the pod from getting the IAM credentials from the EKS node ec2 instance profile (iam role of the node) there are 3 alternatives mentioned in Restrict access to instance profile:
- Modify the launch template to require the instance to use IMDSv2 (emphasis on v2) with hop count set to 1
iptables
in the node.
- Kubernetes network policies
NetworkPolicy
- Create a
NetworkPolicy
that applies to all pods that blocks the access to 169.254.169.254/32 (the metadata discovery address)
- Add a
NetworkPolicy
to the specific pods that need access to it. This still violates the least privilege principle, because those pods will get all permissions of the node iam role which are already broad.
The best option (IMHO) is to require IMDSv2 and hop count/hop limit 1 in the launch template HttpEndpoint=enable,HttpTokens=required,HttpPutResponseHopLimit=1
, the pods will still be able to make the request to the metadata discovery endpoint but they will never get the response because the response packets will be dropped at the first router (virtual) between the node and the pod.