What is the best option to enforce a strict deploy-time policy in your Kubernetes Engine cluster?