apiVersion: v1 kind: Pod metadata: name: prod-pod labels: app: sharenet-production annotations: io.containers.no-new-privileges: "true" spec: hostname: prod-pod # Security: run as non-root user with specific UID/GID securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 containers: - name: postgres image: localhost/postgres:deployed # Security: drop all capabilities, read-only root filesystem except data volume securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] envFrom: - secretRef: name: postgres-secrets ports: - containerPort: 5432 protocol: TCP volumeMounts: - name: pgdata mountPath: /var/lib/postgresql/data readOnly: false # Health checks livenessProbe: exec: command: ["pg_isready", "-U", "sharenet"] initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 3 readinessProbe: exec: command: ["pg_isready", "-U", "sharenet"] initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 # Resource limits resources: requests: memory: "256Mi" cpu: "250m" limits: memory: "1Gi" cpu: "500m" - name: backend image: localhost/backend:deployed # Security: drop all capabilities, read-only root filesystem securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] envFrom: - secretRef: name: backend-secrets ports: - containerPort: 3001 protocol: TCP # Health checks livenessProbe: httpGet: path: /health port: 3001 scheme: HTTP initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 3 readinessProbe: httpGet: path: /health port: 3001 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 # Resource limits resources: requests: memory: "128Mi" cpu: "100m" limits: memory: "512Mi" cpu: "250m" - name: frontend image: localhost/frontend:deployed # Security: drop all capabilities, read-only root filesystem securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] envFrom: - secretRef: name: frontend-secrets ports: - containerPort: 3000 protocol: TCP # Resource limits resources: requests: memory: "128Mi" cpu: "100m" limits: memory: "256Mi" cpu: "250m" - name: nginx image: localhost/nginx:deployed # Security: drop all capabilities, read-only root filesystem securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] ports: - containerPort: 80 protocol: TCP hostPort: 80 - containerPort: 443 protocol: TCP hostPort: 443 volumeMounts: - name: nginx-conf mountPath: /etc/nginx/nginx.conf subPath: nginx.conf readOnly: true - name: nginx-cache mountPath: /var/cache/nginx readOnly: false - name: letsencrypt mountPath: /etc/letsencrypt readOnly: true # Health check livenessProbe: httpGet: path: /healthz port: 80 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 3 # Resource limits resources: requests: memory: "64Mi" cpu: "50m" limits: memory: "128Mi" cpu: "100m" volumes: - name: pgdata hostPath: path: /opt/sharenet/volumes/pgdata type: Directory - name: nginx-conf hostPath: path: /opt/sharenet/nginx type: Directory - name: nginx-cache hostPath: path: /opt/sharenet/volumes/nginx-cache type: Directory - name: letsencrypt hostPath: path: /etc/letsencrypt type: Directory