Set http_put_response_hop_limit to 1 #10
Description
From grazing the Terraform, var.eks_managed_node_group_defaults.metadata_options is not specified, and defaults to 2.
Per https://docs.aws.amazon.com/whitepapers/latest/security-practices-multi-tenant-saas-applications-eks/restrict-the-use-of-host-networking-and-block-access-to-instance-metadata-service.html it's better if Pods can't impersonate the host.
Unsure if you have e.g., IP tables blocking 169, but you can't enforce that via SCP, so it's probably not the case.