DigitalOcean Kubernetes (DOKS) is a managed Kubernetes service that lets you deploy Kubernetes clusters without the complexities of handling the control plane and containerized infrastructure. Clusters are compatible with standard Kubernetes toolchains and integrate natively with DigitalOcean Load Balancers and volumes.
You need to use a privileged pod configured to gain access to the underlying system of the worker node.
The worker node system is updated when clusters are upgraded. This is one important reason to enable auto-upgrades on your cluster. The changelog has the set of images released over time with the things that changed.
You can run additional security tooling on worker nodes as privileged DaemonSets.
Security-scanning services are built into some image registries such as Docker Hub and Quay. You can also use an independent scanner such as Anchore, WhiteSource, or Clair. Be sure not to import open-source code in tarballs and instead use a package from a public repository so the scanner is more likely to recognize it.
DOKS offers token-based certificate-based authorization (recommended) and supports certificates for legacy clusters. For more details, see Connect to a Cluster.
We recommend consulting the CNCF’s security recommendations, and reading Securing a Cluster and Overview of Cloud Native Security in the Kubernetes documentation.