API Server Security

Run kube-bench against a fresh kubeadm cluster. You will see failures. Even the default configuration, which is more secure than it was five years ago, does not pass every CIS check for the API server. That is because kube-apiserver is the single point of entry for every kubectl command, every controller reconciliation, and every kubelet heartbeat. It has the largest attack surface of any control plane component, and hardening it requires understanding how requests flow through it.

This lesson covers the API server's request pipeline: four security gates (TLS, authentication, authorization, admission control) plus audit logging. Each gate has specific kube-apiserver flags, corresponding CIS Kubernetes Benchmark checks, and real misconfiguration risks. This maps directly to the KCSA Cluster Component Security domain (22% of the exam).