The Kubernetes API supports multiple forms of authentication: http basic auth, bearer token, client certificates. When launching the apiserver, you can enable / disable each of these authentication methods with command line flags.

You should also be running the apiserver where the insecure port is only accessible to localhost, so that all connections coming across the network use https. By having your api clients verify the TLS certificate presented by the apiserver, they can verify that the connection is both encrypted and not susceptible to man-in-the-middle attacks.

By default, anyone who has access credentials to the apiserver has full access to the cluster. You can also configure more fine grained authorization policies which will become more flexible and configurable in future Kubernetes releases.