My personal suggestion was to use the API Gateway to validate tokens, but that comes with its own set of challenges (on the on-prem we use a different authentication scheme). It also allows anyone inside the cluster to move freely