Google GKE (Google Kubernetes Engine):

Workload Identity for GCP service account binding - GKE Autopilot enforces hardened security baseline - Metadata server access from pods