- Use IDP for Authorization
- Service Accounts for Workloads
- RBAC configured for users and workloads
- CIS/NIST benchmarks for Node Security
- Kubebench for Cluster
- All namespaces should have NetworkPolicy
- DO NOT EXPOSE your cluster to the Internet
- Differentiate between public and private workloads
- Secrets should be stored in third-party storage
- HashiCorp Vault
- etcd in encrypted form.
- Secrets should be added to the container using the volumeMount mechanism or the secretKeyRef mechanism.