Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false
Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.