I am new to the k8s security. I am wondering how I can measure the attack surface of the k8s environment and what I can do differently to secure it. I have read the GKE security best practices and k8s recommendations. If you please share the methods and tools you commonly use to perform penetration testing it would be helpful. Some of the questions wonders me,

1. If someone breaks into a container, what is level of damage the adversary can do to the environment, given that we have Istio in place?
2. Can someone capitalize a bug in Istio and compromise the entire environment from that single compromised pod (e.g. exploit the web vulnerabilities and get reverse shell on the container)
3. What are the pentests should be performed on a managed Kubernetes vs vanilla k8s to assess the attack surface?
4. When you perform a pentest for the k8s and Istio, does it always pair up with the CICD pipeline security assessment? If so can you please share your experiences and methods?

Please accept my apology if something I described above is wrong or does not make sense. I am hoping to learn more and in-depth about this field. Thank you.