Basically I'm new to kubernetes and I'm trying to create a simple nginx + php-fpm application. I've setup the deployment config, created the pods, setup some loadbalancers, etc.. Everything's working fine and I'm controlling the cluster from Google Cloud Shell (because the cluster is created on Google Cloud Platform). I want to ask if I need to do some additional steps or if my cluster is safe and secure, for example: can someone connect to it from outside by some way, etc.. I've kept the default settings while creating the cluster and I have client certificate enabled (that's a way of authentication, right?). I just want to make sure. (should it be secure by default?)
Consider what exactly you are "hardening" against; you can consider security from two contexts: application and cluster. They are usually decoupled, but can cause some serious problems if either gets compromised.
For cluster security, there are many options on GKE to restrict access to your cluster that covers the majority of use-cases. You can use RBAC (Role-based access control) to limit user and service account permissions and prevent unauthorized access/modification to your cluster resources. Additionally, if you use external tool (eg. Helm), you will need to secure these individually. By default, only those with the client certificate should be able to access your master. If you share the certificate, or if another user in your Google Organizations account has the IAM permissions to access your cluster, they could also grab permissions from the Google Cloud CLI. A good cluster security enforcement can greatly mitigate the effects of a compromised container/pod.
For application security, follow the best practices for deploying containerized applications and secret management. Basically secure your nginx and php as you would on traditional servers.
Hope this helps!