Where is the kube-apiserver configured? Is it setup in HA? Are you planning in the future to allow us to see the kube-apiserver logs? Are you planning to allow us to configure the kube-apiserver? For example to configure an OIDC provider so we can use bearer tokens instead of client certificates. Are you planning to restrict the servers that can reach the kube-apiserver? It seems it’s open to the internet (granted you have credentials).