Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]
Where possible, remove get, list and watch access to Secret objects in the cluster.
Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.
Where possible, remove create access to pod objects in the cluster.
Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false
Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.
Remove the system:masters group from all users in the cluster.
Where possible, remove the impersonate, bind and escalate rights from subjects.