Implement Pod Security Standards (Restricted profile) - Use RBCD with least privilege---never grant cluster-admin to service accounts - Enable audit logging for all API server operations - Encrypt Secrets at rest using KMS - Implement Network Policies to restrict pod-to-pod communication - Block IMD