Your question was my motivation to start writing my book when I tried to answer it a year ago. There is no short answer to the question, however, I covered the foundational best practices that are common for most of the applications types that are running on k8s (especially SaaS apps).
As you mentioned one of the most challenging areas for SaaS apps is multi-tenant management and isolation. From my experience which I summarized in chapter 2 in my book is your strategy in handling your cluster decomposition. There are two main approaches here, first is the hard isolation which you can gain by hosting each tenant on its own cluster, this approach is more secure but less common due to cost and operational overhead reasons, the other approach is using a shared cluster with soft isolation using namespaces, this approach is the most common one but it requires hardening cluster security by enabling cluster RBAC across the cluster and at namespace-level, in addition to enforcing resources limits/quotas per namespace and down to the pod-level, adding network policies with Calico to block communication between namespaces by default, and finally having a policy gateway.
In addition to the security best practices mentioned in chapter 6 of the book, such as deploying Falco for security runtime monitoring, executing automated security tests, and periodically scan the cluster for security misconfiguration or vulnerabilities.
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop