Routing sends a request to the right service, while authorization decides whether that request should be allowed in the first place. In a secure Kubernetes model, routing should be handled by ingress infrastructure and authorization should be handled by an identity-aware policy layer before the service is reached.
Why This Matters for Security Teams
Routing and authorization are often collapsed into one discussion because both happen “in front of” an application, but they solve different problems. In Kubernetes, routing decides where traffic goes, while authorization decides whether a caller should be trusted to reach the workload at all. That distinction matters because service discovery, ingress rules, and load balancing can all be functioning correctly while a compromised service account still reaches sensitive APIs.
NHIMG research shows how often identity controls lag behind infrastructure controls. The Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which makes identity-aware enforcement more important than path-based filtering alone. The core lesson aligns with the OWASP Non-Human Identity Top 10: network placement is not a substitute for access control.
Security teams get into trouble when they assume ingress, namespace boundaries, or cluster IPs are enough to protect workloads. In practice, many teams discover over-permissive service account access only after lateral movement has already happened, rather than through intentional access design.
How It Works in Practice
Routing in Kubernetes is about transport decisions. Ingress controllers, gateways, service meshes, and kube-proxy steer requests toward the correct service based on hostnames, paths, ports, or labels. Authorization is a separate decision layer that should evaluate the caller, the requested action, and the context before the request is allowed to proceed.
For human users, this distinction is familiar. For workloads, the identity is usually a service account, pod identity, or workload identity bound to cryptographic proof. The practical goal is to authorize based on what the caller is and what it is trying to do, not simply on whether traffic reached a pod. That is why policy engines and identity-aware proxies are increasingly used alongside Kubernetes networking controls.
- Use routing to direct traffic to the right service, namespace, or version.
- Use authorization to decide whether a service account, pod, or external caller may invoke the operation.
- Prefer workload identity and short-lived credentials over shared secrets or long-lived tokens.
- Evaluate policy at request time so decisions can reflect workload identity, method, path, labels, and environment.
Current guidance suggests combining Kubernetes network controls with policy-as-code and strong workload identity, not relying on either one alone. The Ultimate Guide to NHIs — Key Challenges and Risks is explicit that secrets sprawl and excessive privilege are persistent failure modes, while identity-focused architectures such as the OWASP Non-Human Identity Top 10 emphasize lifecycle control over mere connectivity.
In a mature setup, routing gets the packet to the service, but authorization still happens before sensitive logic executes, often through a sidecar, gateway, or service-mesh policy layer. These controls tend to break down when teams treat internal cluster traffic as implicitly trusted and allow any pod in a namespace to call any service without caller verification.
Common Variations and Edge Cases
Tighter authorization often increases operational overhead, requiring organisations to balance policy precision against rollout complexity and debugging effort. That tradeoff becomes more visible in Kubernetes because traffic can be routed through multiple layers, including ingress, service meshes, and internal service-to-service calls.
One common edge case is TLS termination at the ingress layer. Routing can succeed even when upstream authorization is weak, so teams sometimes mistake encrypted transport for access control. Another is namespace-based trust, which is convenient but coarse. Best practice is evolving toward workload identity, least privilege, and per-request policy checks, but there is no universal standard for this yet across every Kubernetes deployment model.
NHIMG’s 52 NHI Breaches Analysis underscores a recurring pattern: identity compromise often turns infrastructure shortcuts into broad access. For that reason, routing should be treated as connectivity plumbing, while authorization should be treated as an identity control that must survive compromised pods, misconfigured service accounts, and east-west traffic inside the cluster.
In practice, the hard failures appear when teams rely on cluster reachability as proof of trust in multi-tenant environments or when service-to-service calls are not bound to verified workload identity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Separates workload identity from network reachability in Kubernetes. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be enforced independently of routing paths. |
| NIST Zero Trust (SP 800-207) | AC-3 | Zero trust requires explicit authorization for each request, not implicit trust. |
Bind pod and service access to verified workload identity, not cluster location.
Related resources from NHI Mgmt Group
- What is the difference between Kubernetes network policy and identity-based access control?
- What is the difference between ingress routing and identity-aware access control?
- What is the difference between JIT access and Zero Trust for NHIs?
- What is the difference between secretless access and temporary credentials?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
