Enable pods to access AWS metadata
Enable pods to access AWS metadata.
You can enable pod access to the AWS metadata endpoint for all or individual pods. Metadata includes instance and user metadata, and IAM credentials of the node. For details, see:
By default, Calico Cloud blocks pods from accessing the AWS metadata endpoint on their node.
Enable pod access to metadata
The following command allows an individual pod to access the AWS metadata endpoint on its node.
kubectl label pods <pod-name> aws.tigera.io/allow-metadata-access=true
Enable all pods to access the AWS metadata endpoint
If the number of pods you need to allow exceeds the number that you need to block, it may be more convenient to change the default to allow access and then deny access to individual pods that do not need it.
Edit the AmazonCloudIntegration resource.
kubectl edit amazoncloudintegration tigera-secure
# Do not remove any of the existing fields
Now all pods can access AWS metadata by default.note
You can also add the
defaultPodMetadataAccessfield to the AmazonCloudIntegration when it is initially created.
Use the following command to block specific pods.
kubectl label pods <pod-name> aws.tigera.io/allow-metadata-access=false