Hello, I realize this repository is deprecated, so there may not be a way to report security issues at this point in time. However, I have discovered a way to bypass the Kiam agent and receive IAM credentials for the underlying Kubernetes node, as an unprivileged pod. This issue is in the Kiam agent and not in how traffic is forwarded to it.

Is there a security contact for this repository I could privately forward the issues along to? Otherwise, if this project isn't being maintained, I guess I will just disclose the issue details here as a heads up for those looking at/auditing Kiam.

Use the --iptables switch for the agent--not sure that it supports IPVS (if relevant)

This issue isn't related to how traffic makes it to the Kiam node, so shouldn't matter how you steer traffic towards it. I am hesitant to post any more information here, so will let this issue sit for a bit.

Whatever. You've evidently got it covered, huh?
You'll find that your problem is rooted in the server pod being redirected to the agent service when trying to connect to the metadata endpoint (due to those agent-installed iptables nat rules)

Good luck