apiVersion: apps/v1 kind: Deployment metadata: name: lcg namespace: lcg labels: app: lcg version: v2.0.11 spec: replicas: 1 selector: matchLabels: app: lcg template: metadata: labels: app: lcg spec: containers: - name: lcg image: kuznetcovay/lcg:v2.0.11 imagePullPolicy: Always ports: - containerPort: 8080 protocol: TCP envFrom: - configMapRef: name: lcg-config - secretRef: name: lcg-secrets env: # Pod information - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName resources: limits: cpu: 1000m memory: 1Gi requests: cpu: 250m memory: 512Mi volumeMounts: - name: lcg-data mountPath: /app/data - name: lcg-config mountPath: /app/config readOnly: true # Health checks startupProbe: tcpSocket: port: 8080 initialDelaySeconds: 10 periodSeconds: 5 failureThreshold: 30 readinessProbe: tcpSocket: port: 8080 initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: tcpSocket: port: 8080 initialDelaySeconds: 10 periodSeconds: 60 volumes: - name: lcg-data persistentVolumeClaim: claimName: lcg-data - name: lcg-config configMap: name: lcg-config # Security context securityContext: runAsNonRoot: true runAsUser: 1001 readOnlyRootFilesystem: false allowPrivilegeEscalation: false capabilities: drop: - ALL restartPolicy: Always