Protecting Node Metadata and Endpoints

Worker nodes sit at the perimeter. They host your workloads, expose the network stack, and run the kubelet that reports back to the control plane. That same exposure makes them an attack surface.

Cloud providers expose instance metadata services on every VM at 169.254.169.254. By default, any pod on a node can reach that link-local address and retrieve IAM credentials, instance identity tokens, and provisioning data. The 2019 Capital One breach demonstrated what happens when metadata access goes unchecked: a compromised web application firewall reached the AWS metadata endpoint, retrieved IAM role credentials, and exfiltrated data from over 100 million customer records. The metadata service wasn't the vulnerability, but it was the escalation path.