Something I often don't see mentioned -- be wary of older (as-in lifetime, not version), long-running clusters. I have found multiple times where a product has some vulnerabilities because I can land myself into an "older" cluster that predated various security enhancements that were made to: provisioning, iaas lockdown, etc, that will old clusters will almost surely not benefit from due to the nature of the "fixes" being in the initial configuration.<p>(As an example, "SomeProduct" allowed users to run somewhat arbitrary, non-privileged, non-root containers. I assumed it was K8s and poked around. All clusters were on GCE and ostensibly running the same versions, but due to how they were initially deployed, had different levels of vulnerability. The older clusters predated GCE blocking the metadata server, and predated the existence of TLS bootstrapping for kubelet, so for some of their clusters, it was easy to grab the kubelets key+cert and impersonate the kubelet as an unprivileged user. It sort of requires having someone paying a fair amount of attention upstream and/or knowing details of k8s provisioning to catch some of these things.)