How would you design a secure CI/CD pipeline for deploying a new microservice to a Kubernetes cluster?