Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]
Where possible, remove get, list and watch access to secret objects in the cluster.
Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.
Where possible, remove create access to pod objects in the cluster.
None required.
Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.