Set IMDS max hop limit to 1 for control plane nodes

Update docs/releases/1.26-NOTES.md

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>

docs/releases/1.26-NOTES.md

@@ -16,6 +16,8 @@ This is a document to gather the release notes prior to the release.
 
 * The AWS Load Balancer, when enabled, will run on worker nodes if IRSA is enabled as of Kubernetes version 1.24.
 
+* As of Kubernetes version 1.26 and with IRSA enabled, control plane nodes will now run with a max hop limit of 1 for the metadata service. This will prevent Pods without host networking from accessing the instance metadata service.
+
 # Breaking changes
 
 ## Other breaking changes

tests/integration/create_cluster/minimal-1.26-irsa/expected-v1alpha2.yaml

@@ -70,7 +70,7 @@ metadata:
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20221018
   instanceMetadata:
-    httpPutResponseHopLimit: 3
+    httpPutResponseHopLimit: 1
     httpTokens: required
   machineType: m3.medium
   maxSize: 1

upup/pkg/fi/cloudup/new_cluster.go

@@ -855,6 +855,9 @@ func setupMasters(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetMap
 						HTTPTokens:              fi.String("required"),
 					}
 				}
+				if cluster.IsKubernetesGTE("1.26") && fi.BoolValue(cluster.Spec.IAM.UseServiceAccountExternalPermissions) {
+					g.Spec.InstanceMetadata.HTTPPutResponseHopLimit = fi.Int64(1)
+				}
 			}
 
 			g.Spec.MachineType = opt.MasterSize