What is node security?
Each Pod that is launched in your cluster runs on a node. That node could be a VM, a "bare metal" server, or even another kind of compute service that is itself a container. Every process started by a Pod runs on that node, and depending on how it is launched, can have a surprising set of capabilities on that node such as talking to the filesystem, breaking out of the container to get a shell on the node, or even accessing the secrets used by the node to communicate with the API server. It's important to make sure that processes that are going to request special privileges are done so only when authorized and even then, for specific purposes.
Many people have experience with physical and virtual servers, and most know how to secure workloads running on them. Containers need to be considered differently when you talk about securing each workload. To understand why Kubernetes security tools such as the Open Policy Agent (OPA) exist, you need...