Comment 0 for bug 1758672

In kubernetes kubelet listens to 10250 and allows anonymous auth by default.

We need to:
* disable anonymous auth
* enable webhook auth with certs and with token for service accounts that have the proper roles.

For an even more secure configuration we can:
* close cadvisor port
* close read-only-port

Only the healthz port of kube-proxy will be open in worker nodes (10256).