Software that exposes an interface to another system must always require authentication, even if the system exposes an interface in a "secure" environment.
Access to the server system is only allowed through an SSH bastion using certificate authentication. Only the DevOps team has access to this gateway.
One must never expose the Kubernetes API to the internet outside a maintenance window. During these windows, only a handful of selected IP addresses are allowed to communicate with the API endpoint.
Machines, Container and Software packages must be tracked for updated of security patches.