This is a very broad topic.
Short answer(Main points):
- Apply Least privilege principle for IAM entities and RBAC entities
- Enable binary authorizarion
- Limit privileges on Containers
- Enable image scanner
- Use the Secret Manager
- Create private clusters when possible
- Spread your work nodes between AZs
But I strongly recommend you verify Google official docs:
https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview#node_upgrades
See ya