I have a signing key that I need to safely store.

What I used to do, was store it directly in the Hardware available on that same host (TPM2.0, using pkcs11 API). Now I am moving my services to Kubernetes, I have tried googling "Kubernetes TPM" but everything I have found was securing Kubernetes with a remote TPM (Via a Key Management System), not on the host itself. Is using the hardware located on the node an anti-pattern (Because I see very little about using the node TPM with Kubernetes)? What is the thing that is most commonly done to protect those signing keys (aside from KMS)?

Thanks!