feat(kyverno): add policy engine with security baseline

- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas)
- Validation policies:
  - disallow-privileged-containers (Enforce)
  - require-resource-limits (Enforce)
  - require-labels (Audit - standard k8s labels)
  - require-run-as-non-root (Audit)
  - disallow-latest-tag (Enforce - GitOps reproducibility)
- Mutating policy:
  - add-default-securitycontext (seccomp, drop caps, read-only fs)
- System namespaces excluded (kube-system, kyverno, istio-system)
- Auto-discovered by ArgoCD ApplicationSet

Reference: CIS Kubernetes Benchmark, Pod Security Standards

infrastructure/kyverno/policies/require-resource-limits.yaml

@@ -0,0 +1,41 @@
+# infrastructure/kyverno/policies/require-resource-limits.yaml
+# Ensures all pods have resource limits defined
+# Prevents resource exhaustion and enables proper scheduling
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-resource-limits
+  annotations:
+    policies.kyverno.io/title: Require Resource Limits
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Resource limits prevent a single workload from consuming excessive
+      cluster resources. This policy requires all containers to define
+      CPU and memory limits.
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: validate-resources
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      exclude:
+        any:
+          - resources:
+              namespaces:
+                - kube-system
+                - kyverno
+      validate:
+        message: "CPU and memory limits are required. Add resources.limits.cpu and resources.limits.memory."
+        pattern:
+          spec:
+            containers:
+              - resources:
+                  limits:
+                    memory: "?*"
+                    cpu: "?*"