You are designing a multi-tenant SaaS application on GKE. Each tenant's microservices run in a dedicated Kubernetes namespace. Tenant A's microservices need access to Tenant A's Cloud Storage bucket, and Tenant B's microservices need access to Tenant B's bucket. How should you configure authentication to ensure strict isolation?

Assign a single GCP Service Account to the GKE node pool that has access to both buckets.

Generate JSON keys for Tenant A and Tenant B's GCP Service Accounts and store them as Kubernetes Secrets in their respective namespaces.

Enable Workload Identity on the GKE cluster. Map Tenant A's Kubernetes Service Account to a GCP Service Account with access to Tenant A's bucket, and do the same for Tenant B.

Use VPC Service Controls to restrict bucket access based on the pod's internal IP address.