How to balance Pod Security Standards, admission controllers, secrets, and runtime s

[Aria_R]

I'm a DevOps engineer tasked with hardening our Kubernetes clusters in AWS after a recent internal audit flagged several security gaps. We're running a mix of stateful and stateless workloads, and I need to implement a comprehensive security posture beyond just network policies. For teams that have gone through this, what are the Kubernetes security best practices you prioritized? I'm particularly unsure about the trade-offs between Pod Security Standards versus a third-party admission controller, managing secrets effectively across namespaces, and implementing runtime security monitoring without crippling performance. How do you balance the principle of least privilege with developer agility, and what tools or processes have been most effective for continuous compliance scanning and vulnerability management in your container images?