This document discusses how to think like a threat actor in Kubernetes environments. It covers three pillars: 1) gaining visibility across the supply chain, 2) starting with RBAC and diving deeper into access controls, and 3) correlating data plane and control plane telemetry for incident response. Examples discussed include malicious and vulnerable packages in container images, masqueraded cluster role bindings, and lateral movements via default service accounts. The document advocates developing a snapshot of the security posture, leveraging concepts like zero trust and IAM, and collecting telemetry across processes, Kubernetes, and cloud platforms to detect attacks.