Skip to main content
Version: 3.18 (latest)

Enable pods to access AWS metadata

Big picture​

Enable pods to access AWS metadata.

Value​

You can enable pod access to the AWS metadata endpoint for all or individual pods. Metadata includes instance and user metadata, and IAM credentials of the node. For details, see:

How to​

By default, Calico Enterprise blocks pods from accessing the AWS metadata endpoint on their node.

Enable pod access to metadata​

The following command allows an individual pod to access the AWS metadata endpoint on its node.

kubectl label pods <pod-name> aws.tigera.io/allow-metadata-access=true

Enable all pods to access the AWS metadata endpoint​

If the number of pods you need to allow exceeds the number that you need to block, it may be more convenient to change the default to allow access and then deny access to individual pods that do not need it.

  • Edit the AmazonCloudIntegration resource.

    kubectl edit amazoncloudintegration tigera-secure
    apiVersion: operator.tigera.io/v1beta1
    kind: AmazonCloudIntegration
    metadata:
      name: tigera-secure
    spec:
      defaultPodMetadataAccess: Allowed
      # Do not remove any of the existing fields

    Now all pods can access AWS metadata by default.

    note

    You can also add the defaultPodMetadataAccess field to the AmazonCloudIntegration when it is initially created.

  • Use the following command to block specific pods.

    kubectl label pods <pod-name> aws.tigera.io/allow-metadata-access=false