# Namespace with Resource Quota
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    environment: production
    team: platform
---
# Resource Quota for the namespace
apiVersion: v1
kind: ResourceQuota
metadata:
  name: production-quota
  namespace: production
spec:
  hard:
    # CPU and Memory limits
    requests.cpu: "8"        # 8 CPU cores total
    requests.memory: 16Gi    # 16GB memory total
    limits.cpu: "16"         # 16 CPU cores max
    limits.memory: 32Gi      # 32GB memory max
    
    # Resource counts
    pods: "50"               # 50 pods max
    services: "20"           # 20 services max
    persistentvolumeclaims: "20"  # 20 PVCs max
    configmaps: "50"         # 50 ConfigMaps max
    secrets: "50"            # 50 Secrets max
    
    # Storage
    requests.storage: 100Gi  # 100GB storage total
---
# Limit Range for default limits
apiVersion: v1
kind: LimitRange
metadata:
  name: production-limits
  namespace: production
spec:
  limits:
  # Default limits for containers
  - default:
      memory: 512Mi
      cpu: 500m
    defaultRequest:
      memory: 256Mi
      cpu: 250m
    type: Container
  # Default limits for pods
  - default:
      memory: 1Gi
      cpu: 1000m
    type: Pod
---
# Deployment with proper resource management
apiVersion: apps/v1
kind: Deployment
metadata:
  name: resource-managed-app
  namespace: production
  labels:
    app: resource-managed-app
    environment: production
spec:
  replicas: 3
  selector:
    matchLabels:
      app: resource-managed-app
  template:
    metadata:
      labels:
        app: resource-managed-app
        environment: production
    spec:
      # Pod-level security context
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 2000
      containers:
      - name: app
        image: nginx:latest
        ports:
        - containerPort: 80
        # Resource requests and limits
        resources:
          requests:
            memory: "256Mi"    # Minimum guaranteed
            cpu: "250m"        # 0.25 CPU cores
          limits:
            memory: "512Mi"    # Maximum allowed
            cpu: "500m"        # 0.5 CPU cores
        # Health checks
        livenessProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3
        readinessProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 5
          timeoutSeconds: 3
          failureThreshold: 3
        # Container-level security context
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
            - ALL
        volumeMounts:
        - name: tmp-volume
          mountPath: /tmp
      volumes:
      - name: tmp-volume
        emptyDir: {}
---
# Horizontal Pod Autoscaler (HPA)
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: app-hpa
  namespace: production
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: resource-managed-app
  minReplicas: 3
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80