To enforce a strict deploy-time policy in your Kubernetes Engine cluster, which option would you choose?