ABSTRACT
Cluster API itself runs on a Kubernetes cluster, which is referred as a management cluster. Its primary target audience is developers who want to quickly set up a single-node Kubernetes clusters for development and CI/CD purposes. KubeEdge and OpenYurt split Kubernetes clusters by introducing additional layers between the control plane and kubelet. Because etcd plays such a central role on a Kubernetes cluster, using a separate CA reduces the risk of an attacker gaining access to the ETC store. A key threat model of containers is attacks from inside the container, such as by vouge code loaded into the container. Gaining awareness is the first step to mitigate security risks. There are many libraries and tools for the people to implement security monitoring systems at different scales with different levels of sophistication, including Prometheus, Jaeger, Grafana and many others. .
