feat(mlflow): add security hardening defaults and NetworkPolicy

[kriscoleman]

Parent epic: #166
Integration branch: feat/mlflow-enterprise-patterns

Add security context defaults and NetworkPolicy for vendors in regulated industries (SOC 2, HIPAA).

Scope

• Add podSecurityContext defaults to charts/mlflow/values.yaml: runAsNonRoot: true, fsGroup
• Add containerSecurityContext defaults: readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, capabilities.drop: [ALL]
• Apply security contexts in charts/mlflow/templates/deployment.yaml via .Values references
• Create charts/mlflow/templates/networkpolicy.yaml with:
  • Default deny all ingress/egress
  • Allow same-namespace traffic
  • Allow ingress-nginx → mlflow on port 5000
  • Allow mlflow → postgres on port 5432
  • Allow mlflow → minio on port 9000
  • Conditional on .Values.networkPolicy.enabled
• Add networkPolicy section to charts/mlflow/values.yaml

Files touched

• applications/mlflow/charts/mlflow/values.yaml (add securityContext + networkPolicy sections)
• applications/mlflow/charts/mlflow/templates/deployment.yaml (wire security contexts)
• applications/mlflow/charts/mlflow/templates/networkpolicy.yaml (new file)

PR target

Branch PRs to feat/mlflow-enterprise-patterns (not main).