well i was more thinking along the lines of every service in your vault implementing additional 2fa.

In the kubernetes world it really is not so difficult