feat(deployments): add PSS-restricted base template with Kustomize

- Namespace with Pod Security Standards restricted enforcement
- Deployment with full security context (non-root, read-only fs, no caps)
- Resource limits, health probes, topology spread
- Service and comprehensive README
- Kustomize structure for overlay-based customization

deployments/base/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - service.yaml
+
+labels:
+  - pairs:
+      app.kubernetes.io/managed-by: kustomize
+    includeSelectors: false
+
+# Default namespace for all resources
+namespace: app-production