SIG Auth is leading efforts to strengthen Kubernetes’ authentication and authorization foundations. This session covers recent and upcoming features shaping security across the stack. Secure image pulls are being enabled using ephemeral ServiceAccount tokens, reducing reliance on long-lived secrets and node-scoped credentials. Kubernetes is gaining a new mechanism for provisioning X.509 certificates directly to pods via the kubelet, enabling strong mTLS authentication and service-to-service communication. Kubelet serving certificate validation is being hardened to prevent node impersonation, especially in dynamic or on-prem environments. In resource management, DRA adds support for privileged admin access to devices in use, enabling secure diagnostics without weakening isolation. We’ll also cover current and future improvements in authorization, such as tighter policy for image pull operations. Join us to learn how these efforts are improving the trust model across Kubernetes.