[mjfisher]

The Kubernetes nodes and control plane are not something I manage directly. DigitalOcean perform regular upgrades to keep the cluster at a minimum supportable and secure version. They're reasonably sophisticated, and if they can't upgrade the cluster without downtime they'll notify you with what's wrong - which is great, because I don't know much in depth about K8s administration.

The configuration you use is pretty explicit about which ports are internal and which are published externally as a service, so it's unlikely you'll get it wrong by accident. Nevertheless, you can still verify that you haven't done anything daft like opened a DB port to the internet by e.g. trying to connect to it.

Finally, there's a whole class of difficult administration, hardening and access problems that can come with Kubernetes multi-tenanted operations that you just side-step as a sole administrator/user. You don't need to worry about who has access to which services or namespaces, or what privileges they have via RBAC - it's just you. I'd want to do some really serious research before letting other users launch containers on my cluster, or execute their own code in it; but that's not one of my use-cases, so it's not a problem.