Kubernetes is quite secure by default. Both of the cloud providers that provide Kubernetes, Google Cloud and Microsoft Azure, work in a similar way.
A management node is deployed alongside your nodes; this management node controls your entire cluster, and is by default exposed to both the public internet and the cloud provider. We can test what an unauthenticated user sees by launching a cluster with the following command:
$ gcloud container clusters create kube
Now, by default this command will launch the cluster, including the management node. All of the certificates used to authenticate your local copy of kubectl against the cluster are generated on the cloud, and then once the cluster has launched it will configure ...