API (Bastion) • Regular Cluster upgrades • Authenticate using AAD • Apply security updates (Kured) • Containers • Scan for vulnerabilities (Twistlock, Aqua) • Regularly update the base image • No root access (privileged access) • Network security • WAF ingress • Firewall for egress • Network policies