diff --git a/api/anubis/k8s/pipeline.py b/api/anubis/k8s/pipeline.py
index 6fb333d07..191e66ef3 100644
--- a/api/anubis/k8s/pipeline.py
+++ b/api/anubis/k8s/pipeline.py
@@ -72,7 +72,16 @@ def create_pipeline_job_obj(submission: Submission) -> client.V1Job:
                 "network-policy": "submission-pipeline",
             }
         ),
-        spec=client.V1PodSpec(restart_policy="Never", containers=[container]),
+        spec=client.V1PodSpec(
+            restart_policy="Never",
+            containers=[container],
+            # Minimal service account with no extra permissions
+            service_account_name='theia-ide',
+            # Disable service information from being injected into the environment
+            enable_service_links=False,
+            # Don't mount service account tokens
+            automount_service_account_token=False,
+        ),
     )
 
     # Create the specification of deployment
diff --git a/api/anubis/k8s/theia.py b/api/anubis/k8s/theia.py
index a56de49b4..d962e58d5 100644
--- a/api/anubis/k8s/theia.py
+++ b/api/anubis/k8s/theia.py
@@ -521,6 +521,12 @@ def create_theia_k8s_pod_pvc(
             containers=pod_containers,
             # Add the shared Volume(s)
             volumes=pod_volumes,
+            # Minimal service account with no extra permissions
+            service_account_name='theia-ide',
+            # Disable service information from being injected into the environment
+            enable_service_links=False,
+            # Don't mount service account tokens
+            automount_service_account_token=False,
             # Add any extra things in the spec (depending on the
             # options set for the session)
             **spec_extra,
diff --git a/k8s/chart/templates/network-policy.yml b/k8s/chart/templates/network-policy.yml
index c65c69bb2..d7b6e9527 100644
--- a/k8s/chart/templates/network-policy.yml
+++ b/k8s/chart/templates/network-policy.yml
@@ -56,7 +56,7 @@ spec:
           - 10.0.0.0/8
           - 192.168.0.0/16
           - 172.16.0.0/12
-          - 169.254.169.254  # Hosting Provider Metadata IP
+          - 169.254.169.254/32  # Hosting Provider Metadata IP
 
 ---
 
@@ -93,7 +93,7 @@ spec:
           - 10.0.0.0/8
           - 192.168.0.0/16
           - 172.16.0.0/12
-          - 169.254.169.254  # Hosting Provider Metadata IP
+          - 169.254.169.254/32  # Hosting Provider Metadata IP
   - to:
     - podSelector:
         matchLabels:
diff --git a/k8s/chart/templates/theia.yml b/k8s/chart/templates/theia.yml
index c6e9f5d5c..395f587c7 100644
--- a/k8s/chart/templates/theia.yml
+++ b/k8s/chart/templates/theia.yml
@@ -96,6 +96,20 @@ spec:
       targetPort: 5000
 ---
 
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: theia-ide
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+    component: theia
+{{- if .Values.imagePullSecret }}
+imagePullSecrets:
+  - name: {{ .Values.imagePullSecret }}
+{{- end }}
+
+---
+
 apiVersion: v1
 kind: ServiceAccount
 metadata: