Control plane & etcd
Encrypt secrets at rest, lock the API server, guard the CA.
The control plane is the cluster’s brain and its crown jewels — the API server, etcd, and kubelets. Compromise any of them and workload-level controls no longer matter, so hardening them is the foundation everything else rests on.
etcd, the API server, and encryption at rest
etcd stores all cluster state, and critically, Secrets are only base64-encoded there by default — so read access to etcd, or to an etcd backup, is read access to every credential in the cluster. Enable encryption at rest (ideally KMS-backed) so a datastore or backup leak does not hand over your secrets, and restrict etcd to the API server alone. The API server is the single entry point for all actions: protect it with strong authentication, RBAC authorization, comprehensive audit logging, and network restriction — never expose it broadly, and disable anonymous auth. These two components define the cluster’s trust; guard them accordingly.
# EncryptionConfiguration for the API server — Secrets stored encrypted, not# just base64. Prefer a KMS provider so the key lives outside the cluster.apiVersion: apiserver.config.k8s.io/v1kind: EncryptionConfigurationresources:- resources: ["secrets"]providers:- kms:name: cluster-kmsendpoint: unix:///var/run/kms.sock- identity: {} # fallback for reads of pre-existing plaintext# Without this, anyone who reads etcd or a backup reads every Secret.
Kubelets and the trust anchor
Each node’s kubelet exposes an API that, if it allows anonymous access, lets an attacker exec into pods and read their data — so disable anonymous auth and set the kubelet’s authorization mode to Webhook. Above all, guard the cluster CA and signing keys: they can mint trusted client certificates, so CA compromise lets an attacker forge any identity, including cluster-admin. On managed platforms (EKS/GKE/AKS) the provider hardens the control plane under a shared-responsibility model, which is a strong reason to use them — but you still own workload, RBAC, network, and node security. If a control-plane-level compromise is confirmed, assume trust is broken: rotating the CA and rebuilding may be the only safe recovery.