- Namespace with Pod Security Standards restricted enforcement
- Deployment with full security context (non-root, read-only fs, no caps)
- Resource limits, health probes, topology spread
- Service and comprehensive README
- Kustomize structure for overlay-based customization
