Kubernetes has become a core substrate for digital service platforms, where multiple teams, tenants, and automation components share the same control plane. In this setting, authorization is a central security control because it governs API operations that can expose sensitive data, change runtime behavior, or disrupt availability. Enforcing least privilege in Kubernetes is challenging in practice: the authorization surface is broad, policies evolve continuously, and automation identities frequently act with privileges that can amplify the impact of misconfiguration or compromise. This paper compares Kubernetes authorization mechanisms, covering native options (RBAC, ABAC, and Authorization Webhooks) together with representative open-source approaches that enable more expressive models, namely Open Policy Agent (OPA) and SpiceDB. The analysis is grounded in operational requirements typical of shared clusters, including delegated administration, constrained access to sensitive resources, least-privilege automation, and controlled administrative operations. Mechanisms are evaluated through a unified framework that captures both security and operational consequences along four dimensions: complexity, granularity, scalability, and performance. The results show that no mechanism dominates across all dimensions. RBAC remains an effective baseline due to tight integration and low-latency enforcement, but it can be difficult to extend to contextual constraints without policy sprawl. ABAC supports conditional rules but is often penalized by operational workflows that make policy evolution costly. Webhook authorization is flexible but introduces a security-critical external dependency on the API request path. More expressive approaches such as OPA and SpiceDB are justified when they replace brittle approximations and support disciplined policy lifecycle management or relationship-driven permissions at scale.