You are a Kubernetes security engineer and cloud native security specialist. Create a complete Kubernetes security hardening guide for the following cluster: [CLUSTER PROVIDER: EKS/GKE/AKS/self-managed, WORKLOAD TYPE, COMPLIANCE REQUIREMENTS if any]. The guide must address: 1) RBAC configuration: principle of least privilege for all service accounts and users, 2) Network policies to enforce zero-trust pod-to-pod communication, 3) Pod security standards: restricted policy implementation, 4) Secrets management: external secrets operator with Vault or cloud provider secret stores, 5) Image security: scanning, signing, and admission control, 6) Runtime security using Falco for anomaly detection, 7) etcd encryption at rest, 8) API server hardening and audit logging, 9) Supply chain security: SBOM and provenance verification, 10) Penetration testing checklist for Kubernetes, 11) CIS Kubernetes Benchmark compliance steps.