Apply SEC-7 baseline to Apple MDM

apps-gx10/fc-apple-mdm/fc-apple-mdm.yaml

@@ -8,6 +8,12 @@ metadata:
   name: fc-apple-mdm
   labels:
     app.kubernetes.io/part-of: flowercore
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -85,6 +91,8 @@ spec:
         runAsGroup: 1654
         fsGroup: 1654
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: nanohub
           image: localhost/fc-apple-mdm-nanohub:v0.2.0-20260617
@@ -270,6 +278,17 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
+metadata:
+  name: fc-apple-mdm-default-deny
+  namespace: fc-apple-mdm
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
 metadata:
   name: fc-apple-mdm-netpol
   namespace: fc-apple-mdm
@@ -320,3 +339,40 @@ spec:
           protocol: TCP
         - port: 8080
           protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: fc-apple-mdm-acme-http-solver-allow
+  namespace: fc-apple-mdm
+spec:
+  podSelector:
+    matchLabels:
+      acme.cert-manager.io/http01-solver: "true"
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+      ports:
+        - port: 8089
+          protocol: TCP
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP