What are the best practices for securing multi-tenant Kubernetes clusters in AWS?

We're building a multi-tenant SaaS platform on Kubernetes running in AWS EKS. Each tenant needs isolation while sharing the same cluster infrastructure. Key concerns: - Network isolation between tenants - Resource quotas and limits - RBAC and namespace isolation - Pod security policies - Network policies implementation I've read about Network Policies and OPA Gatekeeper, but I'd like to hear from practitioners who have implemented this in production. What are the critical security controls we should prioritize? Also interested in: - Cost implications of different isolation strategies - Performance impact of network policies - Compliance considerations (SOC 2, ISO 27001)