kube-apiserver is the center of all operation within the k8s cluster. We interact with it to make changes to the cluster. So, the first line of defense is to control access to the kube-apiserver. This involves two considerations:
- Who can access the cluster (authentication)
- What can they do (authorization)
All communications within the k8s cluster between the various processes of k8s is secured by TLS encryption.
By default, every pod can access every other pod in the cluster. We can restrict access between them using NetworkPolicies.