An EKS Pod Needs AWS Access. Attach It to the Node Role?
A pod needs to read S3, and a teammate wants to add the permission to the EKS node role to unblock it. Defend the least-privilege approach.
the decision you defend
A pod in your EKS cluster needs to read from S3. A teammate says just add the S3 permission to the node instance role so the pod can use it immediately. Do you agree, and what should you do instead?
the situation
A new pod in your EKS cluster needs to read objects from an S3 bucket. Right now it has no AWS permissions, so its calls fail, and the team wants it working today.
context
The cluster nodes run with an instance role used for core cluster functions. The cluster already has an OIDC provider available. A teammate proposes simply attaching an S3 read policy to the node instance role, since the AWS SDK inside the pod will pick those credentials up automatically from instance metadata with no extra setup.
How this challenge works
Take a position on the decision above and defend it. A senior-engineer AI will push back over up to 5 rounds. When you are done, you are scored against a verified rubric so you can see exactly what a complete answer covers - these are learning prompts, not gotchas.