DigitalOcean Kubernetes (DOKS) is a managed Kubernetes service. Deploy Kubernetes clusters with a fully managed control plane, high availability, autoscaling, and native integration with DigitalOcean Load Balancers and volumes. DOKS clusters are compatible with standard Kubernetes toolchains and the DigitalOcean API and CLI.
Not today.
You need to use a privileged pod configured to gain access to the underlying system of the worker node.
The worker node system is updated when clusters are upgraded. This is one important reason to enable auto-upgrades on your cluster. The changelog has the set of images released over time with the things that changed.
You can run additional security tooling on worker nodes as privileged DaemonSets.
Security-scanning services are built into some image registries such as Docker Hub and Quay. You can also use an independent scanner such as Anchore, WhiteSource, or Clair. Be sure not to import open-source code in tarballs and instead use a package from a public repository so the scanner is more likely to recognize it.
DOKS offers token-based authorization (recommended) and supports certificates for legacy clusters. For more details, see Connect to a Cluster.
We recommend consulting the CNCF’s security recommendations, and reading Securing a Cluster and Overview of Cloud Native Security in the Kubernetes documentation.