Using a similar pattern (tickets I guess) doesn’t mean you’re reinventing something.

You might equally say we’re reinventing “authenticated sessions”. More in common with jwt cookies tbh.

We don’t want to run krb infrastructure so we don’t do that.

The runtime dependency on ldap or NIS, plus keeping krb itself HA, fed and happy plus OS dependent PAM setup make krb fairly undesirable in a production cloud environment if ssh certs and kube certs would suffice.