Q: Is there an option to restrict the access for the Kubernetes API by IP addresses?
A: Not today.
Q: How can we get latest OS version and patch-level information on worker nodes so we can check OS and kernel versions for 0-day exploits or other CVE vulnerabilities?
A: You will need to use a privileged pod configured to gain access to the underlying system of the worker node.
Q: How do you keep the worker nodes secure?
A: The worker node system is updated when clusters are upgraded. This is one important reason to enable auto-upgrades on your cluster. The changelog has the set of images released over time with the things that changed.
Q: How can I run additional security tooling on worker nodes?
A: You can run additional security tooling on worker nodes as privileged DaemonSets.
Q: How I can reasonably make sure there are no known exploits in the image running on the Droplets?
A: Security-scanning services are built into some image registries such as Docker Hub and Quay. You can also use an independent scanner such as Anchore, WhiteSource, or Clair. Be sure not to import open-source code in tarballs and instead use a package from a public repository so the scanner is more likely to recognize it.
Q: What are my options for authentication?
A: DOKS offers certificate-based authorization today, and will offer token-based authorization soon.
Q: Where can I read some security best practices for Kubernetes in general (rather than DOKS in specific?)