CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests

CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node

Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise

Check if containers are running with low UID, which might cause conflicts with the host's user table.

Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory

Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes

The permission to create pods in a cluster should be restricted because it allows privilege escalation.

Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments

Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls