You want to implement a secure CI/CD pipeline for a Kubernetes application. Security is a top priority, and you must ensure that only approved and scanned container images are deployed to the production namespace. What's the most effective way to enforce this requirement?