Specifically some canonical instructions on how to harden a cluster would be helpful. Many Starting Guides have nodes use plain http to talk to the api server, thus even deployed containers can do this do.

It took me a while to find a proper kubeconfig example for kubelet and kube-proxy token auth (the one I eventually found was buried in some github issue i think).

Also, I found no information on how on what to put in the authorization jsonl file for kubelet (the given example is wrong, since the kubelet needs to write/report node status to the api) and kube-proxy. Peeking into the code helped, but I guess this information could be helpful for admins.