Kubernetes Trust Boundaries and Data Flow

A single API request to create a Pod crosses at least four trust boundaries before anything runs on a node. TLS terminates the connection. Authentication identifies the caller. Authorization checks whether that caller can perform the action. Admission control validates and mutates the object. Only then does etcd store it, and only then does a kubelet on a worker node pull an image and start a container.

Miss any one of those boundaries, and an attacker moves laterally. Misconfigure the kubelet, and a compromised container reaches the node. Skip NetworkPolicies, and every pod can talk to every other pod and the control plane. Leave etcd unauthenticated, and you've handed over cluster-admin.