Restricting Access to the Kubernetes API

Restricting API server access requires disabling anonymous authentication, configuring audit logging, and implementing network-level controls to limit access to the API server.

A misconfigured RBAC binding grants list secrets to system:unauthenticated. With anonymous authentication enabled (the default), anyone who can reach port 6443 can dump every Secret in the cluster without credentials. This is not hypothetical. It's a recurring finding in penetration tests, and the CKS exam expects you to fix it.