**Approach summary**Design per-team isolation using namespaces, scoped service accounts, least-privilege RBAC, default-deny NetworkPolicies, PodSecurityContext constraints, and admission controllers (OPA/Gatekeeper + PodSecurity) to enforce policies. Onboard new teams via a gated process.**Namespace & onboarding**- Create one namespace per team (team-a-prod, team-a-dev) plus shared infra namespaces.- Onboard flow: request ticket → create namespace with standardized labels/annotations → apply namespace ResourceQuota, LimitRange, NetworkPolicy, and baseline RBAC templates → grant access after review.**RBAC & service accounts**- Use ClusterRole for cross-namespace infra ops; otherwise Role per namespace.- Create granular Roles and bind to team-specific ServiceAccounts or AD groups.- Example Role allowing only secrets read/write for CI:yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata: namespace: team-a-dev name: ci-secrets
rules:
- apiGroups: [""] resources: ["secrets"] verbs: ["get","create","update"]
- Prefer RoleBindings to groups/serviceaccounts, avoid ClusterAdmin.**Network policies**- Default-deny ingress/egress per namespace.- Allow only required traffic: e.g., frontend -> backend namespace on specific ports.- Shared services exposed via authorised namespaces or an API gateway.**Pod security & admission**- Enforce PodSecurity (restricted/baseline) and OPA Gatekeeper policies for: - disallow privileged, hostPath, hostNetwork - enforce seccomp, runAsNonRoot, fsGroup- Use validating/admission webhooks to block images from unapproved registries and enforce resource requests/limits.**Least privilege & audits**- Grant minimal verbs, rotate service account tokens, use short-lived KSA tokens via Workload Identity where possible.- Enable audit logging and periodic IAM/RBAC reviews; use kube-bench/kube-hunter and OPA reports.**Operational notes**- Automate namespace bootstrapping via GitOps (ArgoCD) and templates.- Provide a sandbox namespace for teams to test before production access.