Let us try to capture some of the steps that can be taken to secure a kubernetes cluster.
Image Scanning
It is possible that the software package into the image has certain vulnerabilities. Through these vulnerabilities the hacker can obtain access to the host machine or a shared data volume. Therefore it becomes important to not only scan the image for vulnerabilities before the image is pushed to the repository but it is also important to scan an already pushed image on regular basis in the repository.
Run as Non-Root User
Running a process as a root user within a docker image simply allows access to all the processes or directories which require root access on the host. In the event of a pod becoming compromised, this becomes a risky affair.
RBAC (apply least privilege principles)
RBAC is role based access. RBAC restricts access to k8s resources based on the role attached to the user.
Service to service communication
Network policies
Network policies allow us to configure how pods communicates with various network entities.
It can be used to define to which other pods or namespace a given pod is allowed to communicate(both to and fro traffic) with.
The only pre-requisite is that a relevant Network Plugin should be installed to be able to use Network policies.
mTLS
In order to enforce zero trust security in your cluster, having encrypted communication between microservices is a necessary requirement. mTLS helps avoid snooping or man in the middle attacks. It surely is not a good idea to exchange credit card numbers in plain text between services. This is one of the reasons why mTLS has been becoming a compliance requirement in many countries.
Secure etcd
Etcd is a distributed datastore. Kubernetes uses etcd as a key-value datastore. This solves a lot of problems like race conditions etc for kubernetes out of the box. Etcd stores state of the cluster. Thus the whole configuration of your cluster can be accessed/modified/removed if someone gets access to etcd.
Backups
Backups help recover the data in cases of a disaster or even in cases it was deleted by a hacker. But the caveat is now the data is present in multiple places. Hence backups have to be treated with the same level security as production data.