Kubernetes security configuration applied at every layer, RBAC, admission control, pod security, network policy, image security, and secrets management, because a Kubernetes cluster with permissive defaults is a larger attack surface than the VMs it replaced. RBAC configuration: separate namespaces per team (frontend, backend, data) and per environment (dev, staging, production) with ClusterRole/Role definitions granting the minimum permissions required; service accounts for workloads that need Kubernetes API access (e.g., operators, CI deployments) with specific resourceRule grants rather than cluster-admin; kubectl auth can-i audit of every service account role binding before production launch. Pod Security Standards: baseline profile enforced via namespace admission controller labels to block privileged containers, containers running as root, hostNetwork/hostPID/hostIPC access, and dangerous capabilities (NET_ADMIN, SYS_ADMIN); restricted profile applied to namespaces where the workloads have been validated to operate without elevated privileges. Image security via Trivy scanning in CI: images scanned for known CVEs before each deployment; HIGH and CRITICAL severity findings block the pipeline; a suppression file for accepted false positives reviewed quarterly. Secrets management: External Secrets Operator deployed to sync secrets from AWS Secrets Manager or HashiCorp Vault into Kubernetes Secret objects at runtime, preventing application secrets from being committed to the Helm values repository and enabling rotation without pod restarts when the operator is configured with a sync interval. Admission webhook integration with OPA/Gatekeeper or Kyverno for policy-as-code enforcement: custom policies blocking deployments without resource limits, blocking images from unapproved registries, and requiring specific label sets on all workloads for cost allocation.