feat(kyverno): add policy engine with security baseline

- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas)
- Validation policies:
  - disallow-privileged-containers (Enforce)
  - require-resource-limits (Enforce)
  - require-labels (Audit - standard k8s labels)
  - require-run-as-non-root (Audit)
  - disallow-latest-tag (Enforce - GitOps reproducibility)
- Mutating policy:
  - add-default-securitycontext (seccomp, drop caps, read-only fs)
- System namespaces excluded (kube-system, kyverno, istio-system)
- Auto-discovered by ArgoCD ApplicationSet

Reference: CIS Kubernetes Benchmark, Pod Security Standards

infrastructure/kyverno/policies/kustomization.yaml

@@ -0,0 +1,12 @@
+# infrastructure/kyverno/policies/kustomization.yaml
+# Security policies for cluster-wide enforcement
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - disallow-privileged.yaml
+  - require-resource-limits.yaml
+  - require-labels.yaml
+  - require-non-root.yaml
+  - disallow-latest-tag.yaml
+  - add-default-securitycontext.yaml