Is your essential tooling leaving your Kubernetes clusters vulnerable to CVEs? Are you sure? For example, Ingress and Gateway controllers are often deployed with read access to all Secrets in a cluster. What if we could introduce new authorization APIs that both mitigate future CVEs and enable entirely new reference patterns? In this talk, Rob and Mo will show how new APIs being developed by the community can help keep your clusters secure and safely enable cross-namespace references. Along the way, you’ll learn the history of these problems, including various stop-gap solutions that have been attempted along the way, to help you understand the context for the proposed changes. This session will provide you with clear guidelines for how to keep your clusters secure today by limiting unnecessary access to components running in your clusters. You’ll also learn how you can shape the future of these Kubernetes APIs by providing early feedback in the coming months of active development.