Is there an option to restrict the access for the Kubernetes API by IP addresses?
How can we get the latest OS version and patch-level information on worker nodes, so we can check OS and kernel versions for 0-day exploits or other CVE vulnerabilities?
You need to use a privileged pod configured to gain access to the underlying system of the worker node.
How do you keep the worker nodes secure?
The worker node system is updated when clusters are upgraded. This is one important reason to enable auto-upgrades on your cluster. The changelog has the set of images released over time with the things that changed.
How can I run additional security tooling on worker nodes?
You can run additional security tooling on worker nodes as privileged DaemonSets.
How I can reasonably make sure there are no known exploits in the image running on the Droplets?
Security-scanning services are built into some image registries such as Docker Hub and Quay. You can also use an independent scanner such as Anchore, WhiteSource, or Clair. Be sure not to import open-source code in tarballs and instead use a package from a public repository so the scanner is more likely to recognize it.
What are my options for authentication?
DOKS offers token-based certificate-based authorization (recommended) and supports certificates for legacy clusters. For more details, see Connect to a Cluster.
Where can I read some security best practices for Kubernetes in general (rather than DOKS in specific?)