diff --git a/docs/releases/1.26-NOTES.md b/docs/releases/1.26-NOTES.md
index 3d587a8991..bcc7951b7f 100644
--- a/docs/releases/1.26-NOTES.md
+++ b/docs/releases/1.26-NOTES.md
@@ -16,6 +16,8 @@ This is a document to gather the release notes prior to the release.
 
 * The AWS Load Balancer, when enabled, will run on worker nodes if IRSA is enabled as of Kubernetes version 1.24.
 
+* As of Kubernetes version 1.26 and with IRSA enabled, control plane nodes will now run with a max hop limit of 1 for the metadata service. This will prevent Pods without host networking from accessing the instance metadata service.
+
 # Breaking changes
 
 ## Other breaking changes
diff --git a/tests/integration/create_cluster/minimal-1.26-irsa/expected-v1alpha2.yaml b/tests/integration/create_cluster/minimal-1.26-irsa/expected-v1alpha2.yaml
index ad1ff75d71..b0f1801269 100644
--- a/tests/integration/create_cluster/minimal-1.26-irsa/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/minimal-1.26-irsa/expected-v1alpha2.yaml
@@ -70,7 +70,7 @@ metadata:
 spec:
   image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20221018
   instanceMetadata:
-    httpPutResponseHopLimit: 3
+    httpPutResponseHopLimit: 1
     httpTokens: required
   machineType: m3.medium
   maxSize: 1
diff --git a/upup/pkg/fi/cloudup/new_cluster.go b/upup/pkg/fi/cloudup/new_cluster.go
index 5b397896b6..ad876e5a6b 100644
--- a/upup/pkg/fi/cloudup/new_cluster.go
+++ b/upup/pkg/fi/cloudup/new_cluster.go
@@ -855,6 +855,9 @@ func setupMasters(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetMap
 						HTTPTokens:              fi.String("required"),
 					}
 				}
+				if cluster.IsKubernetesGTE("1.26") && fi.BoolValue(cluster.Spec.IAM.UseServiceAccountExternalPermissions) {
+					g.Spec.InstanceMetadata.HTTPPutResponseHopLimit = fi.Int64(1)
+				}
 			}
 
 			g.Spec.MachineType = opt.MasterSize