diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
index c8b38ce852..04fd7534ec 100644
--- a/cluster/config-defaults.yaml
+++ b/cluster/config-defaults.yaml
@@ -713,6 +713,15 @@ audit_webhook_batch_max_size: "250"
 kube2iam_cpu: "25m"
 kube2iam_memory: "100Mi"
 
+# configure whether kube2iam should only run on worker nodes.
+# This depends on control_plane_asg_lifecycle_hook=false as kube-node-ready
+# doesn't work without kube2iam.
+{{if eq .Cluster.Environment "production"}}
+kube2iam_worker_only: "false"
+{{else}}
+kube2iam_worker_only: "true"
+{{end}}
+
 # CIDR configuration for nodes and pods
 # Changing this will change the number of nodes and pods we can schedule in the
 # cluster: https://cloud.google.com/kubernetes-engine/docs/how-to/flexible-pod-cidr
diff --git a/cluster/manifests/kube2iam/daemonset.yaml b/cluster/manifests/kube2iam/daemonset.yaml
index 564ddc2f43..f8a8ae2faa 100644
--- a/cluster/manifests/kube2iam/daemonset.yaml
+++ b/cluster/manifests/kube2iam/daemonset.yaml
@@ -21,6 +21,10 @@ spec:
       annotations:
         logging/destination: "{{.Cluster.ConfigItems.log_destination_infra}}"
     spec:
+{{- if and (eq .Cluster.ConfigItems.kube2iam_worker_only "true") (eq .Cluster.ConfigItems.control_plane_asg_lifecycle_hook "false") }}
+      nodeSelector:
+        node.kubernetes.io/role: worker
+{{- end }}
       dnsConfig:
         options:
           - name: ndots
diff --git a/cluster/manifests/skipper/skipper-redis.yaml b/cluster/manifests/skipper/skipper-redis.yaml
index 7326ce5a83..c722a01031 100644
--- a/cluster/manifests/skipper/skipper-redis.yaml
+++ b/cluster/manifests/skipper/skipper-redis.yaml
@@ -3,7 +3,7 @@ kind: StatefulSet
 metadata:
   labels:
     application: skipper-ingress-redis
-    version: v6.2.7
+    version: v7.2.4
   annotations:
     zalando.org/update-using-hpa-replicas: skipper-ingress-redis
   name: skipper-ingress-redis
@@ -19,7 +19,7 @@ spec:
       labels:
         statefulset: skipper-ingress-redis
         application: skipper-ingress-redis
-        version: v6.2.7
+        version: v7.2.4
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
         logging/destination: "{{.Cluster.ConfigItems.log_destination_infra}}"
@@ -50,7 +50,7 @@ spec:
                 - skipper-ingress-redis
       priorityClassName: "{{ .Cluster.ConfigItems.system_priority_class }}"
       containers:
-      - image: container-registry.zalando.net/library/redis-6-alpine:6-alpine-20220622
+      - image: container-registry.zalando.net/library/redis-7-alpine:7-alpine-20240226
         name: skipper-ingress-redis
         args:
         - /usr/local/bin/docker-entrypoint.sh