**kube-apiserver** — The central management point. All operations go through the API server. Compromise of the API server means full cluster control. - **etcd** — Distributed key-value store holding all cluster state, including Secrets. Directly accessing etcd bypasses all RBAC controls. - **kube-sc