feat(security): add Pod Security Standards (PSA) namespace configurations

- Add namespace templates for privileged, baseline, and restricted levels
- Include compliant deployment examples for baseline and restricted
- Add migration audit script for checking namespace compliance
- Document PSA levels, enforcement modes, and migration strategy

Follows Kubernetes Pod Security Admission best practices for 2025+.
Reference: https://kubernetes.io/docs/concepts/security/pod-security-standards/

pod-security/namespaces/baseline.yaml

@@ -0,0 +1,30 @@
+# Baseline namespace - for most application workloads
+# Prevents known privilege escalations while allowing common configurations
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: baseline-apps
+  labels:
+    # PSA labels - baseline enforcement with restricted auditing
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/audit: restricted    # Audit at higher level
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/warn: restricted     # Warn about restricted violations
+    pod-security.kubernetes.io/warn-version: latest
+    # Metadata
+    environment: production
+    security-level: baseline
+  annotations:
+    description: "Baseline security for standard application workloads"
+---
+# Baseline allows:
+# - Default container configurations
+# - Non-privileged containers
+# - Standard capabilities (NET_BIND_SERVICE, etc.)
+#
+# Baseline blocks:
+# - Privileged containers
+# - Host namespaces (hostPID, hostIPC, hostNetwork)
+# - Host path volumes
+# - Privileged capabilities

pod-security/namespaces/privileged.yaml

@@ -0,0 +1,25 @@
+# Privileged namespace - for system-level workloads only
+# Use sparingly: CNI plugins, monitoring agents, storage drivers
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: privileged-system
+  labels:
+    # PSA labels - privileged level
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+    # Metadata
+    environment: system
+    security-level: privileged
+  annotations:
+    description: "Privileged namespace for system workloads requiring host access"
+---
+# Example: kube-system should typically be privileged
+# To label an existing namespace:
+# kubectl label namespace kube-system \
+#   pod-security.kubernetes.io/enforce=privileged \
+#   pod-security.kubernetes.io/audit=privileged \
+#   pod-security.kubernetes.io/warn=privileged \
+#   --overwrite

pod-security/namespaces/restricted.yaml

@@ -0,0 +1,34 @@
+# Restricted namespace - maximum security hardening
+# For sensitive workloads and untrusted code
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: restricted-apps
+  labels:
+    # PSA labels - restricted at all levels
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+    # Metadata
+    environment: production
+    security-level: restricted
+  annotations:
+    description: "Restricted security for sensitive and untrusted workloads"
+---
+# Restricted REQUIRES:
+# - runAsNonRoot: true
+# - allowPrivilegeEscalation: false
+# - Drop ALL capabilities (except NET_BIND_SERVICE)
+# - seccompProfile: RuntimeDefault or Localhost
+# - Read-only root filesystem (recommended)
+#
+# Restricted BLOCKS:
+# - Everything baseline blocks, plus:
+# - Running as root
+# - Privilege escalation
+# - Most capabilities
+# - HostPath volumes
+# - Writable root filesystems (warning only)