Recommended NetworkPolicy for Istiod in EKS

Hi Folks,

 What is the recommended NetworkPolicy for Istiod in EKS?
 Istiod runs as a POD within the K8s cluster and I want to ensure that traffic only from kube-api server is allowed to this POD.

 For an On-Prem deployment, the kube-api server also runs as a static pod and is identifiable using label `component=kube-apiserver,tier=control-plane`

 In case of EKS, the kube-api server is part of the managed control plane and it's not addressable via similar labels as mentioned above. In that situation, what is the suggested mechanism to enforce a restriction that traffic only from kube-api server reaches the Istio POD?

There are options to enforce this using CIDR(Calico CNI plugin) or DNS hostnames(Cilium CNI plugin).

Are there are any other available options to achieve this?

Thanks,
Alphonse