# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json kind: Deployment apiVersion: apps/v1 metadata: name: postgresql-dp spec: replicas: 1 template: spec: hostUsers: false securityContext: seccompProfile: type: RuntimeDefault runAsNonRoot: true runAsUser: 70 runAsGroup: 70 initContainers: - name: volume-permissions image: busybox command: ["chown", "-c", "70:70", "/var/lib/postgresql/data", "/run/postgresql"] imagePullPolicy: IfNotPresent securityContext: capabilities: drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"] runAsUser: 0 runAsNonRoot: false allowPrivilegeEscalation: false readOnlyRootFilesystem: true volumeMounts: - name: postgresql-storage mountPath: /var/lib/postgresql/data - name: tmpfs-run mountPath: /run/postgresql - name: kickstart-db image: redxen.eu/daemons/postgres:latest imagePullPolicy: IfNotPresent command: ["/usr/libexec/init.sh"] securityContext: capabilities: drop: ["ALL"] allowPrivilegeEscalation: false readOnlyRootFilesystem: true volumeMounts: - name: postgresql-storage mountPath: /var/lib/postgresql/data - name: tmpfs-run mountPath: /run/postgresql containers: - name: postgresql image: redxen.eu/daemons/postgres:latest imagePullPolicy: IfNotPresent securityContext: capabilities: drop: ["ALL"] allowPrivilegeEscalation: false readOnlyRootFilesystem: true volumeMounts: - name: postgresql-storage mountPath: /var/lib/postgresql/data - name: tmpfs-run mountPath: /run/postgresql ports: - containerPort: 5432 volumes: - name: postgresql-storage persistentVolumeClaim: claimName: postgresql-pvc readOnly: false - name: tmpfs-run emptyDir: medium: Memory sizeLimit: 2Mi