feat: Add pod-cleanup CronJob + ArgoCD app (Phase 8.4)

Daily cleanup of completed/failed/evicted pods at 03:00 UTC.
Runs on master node with proper RBAC (ServiceAccount + ClusterRole).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/pod-cleanup/cronjob.yaml

@@ -0,0 +1,53 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: pod-cleanup
+  namespace: kube-system
+  labels:
+    app: pod-cleanup
+spec:
+  schedule: "0 3 * * *"
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: pod-cleanup
+        spec:
+          serviceAccountName: pod-cleanup
+          nodeSelector:
+            node-role.kubernetes.io/control-plane: ""
+          tolerations:
+            - key: node-role.kubernetes.io/control-plane
+              effect: NoSchedule
+          containers:
+            - name: cleanup
+              image: bitnami/kubectl:1.31
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  echo "=== Pod Cleanup $(date) ==="
+                  echo "Deleting completed pods..."
+                  kubectl delete pods --all-namespaces --field-selector=status.phase==Succeeded --ignore-not-found
+                  echo "Deleting failed pods..."
+                  kubectl delete pods --all-namespaces --field-selector=status.phase==Failed --ignore-not-found
+                  echo "Deleting evicted pods..."
+                  kubectl get pods --all-namespaces -o json | \
+                    jq -r '.items[] | select(.status.reason=="Evicted") | "\(.metadata.namespace) \(.metadata.name)"' | \
+                    while read ns name; do
+                      kubectl delete pod -n "$ns" "$name" --ignore-not-found
+                      echo "Deleted evicted pod $ns/$name"
+                    done
+                  echo "=== Cleanup complete ==="
+              resources:
+                requests:
+                  cpu: 50m
+                  memory: 64Mi
+                limits:
+                  cpu: 100m
+                  memory: 128Mi
+          restartPolicy: OnFailure
+      backoffLimit: 1

apps/pod-cleanup/rbac.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pod-cleanup
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-cleanup
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pod-cleanup
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pod-cleanup
+subjects:
+  - kind: ServiceAccount
+    name: pod-cleanup
+    namespace: kube-system

argocd-apps/pod-cleanup.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: pod-cleanup
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: http://10.10.10.1:3000/claude/k8s-apps.git
+    targetRevision: main
+    path: apps/pod-cleanup
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false