kubernetes/redxen/postgresql/deployment.yml

# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json
kind: Deployment
apiVersion: apps/v1
metadata:
  name: postgresql-dp
spec:
  replicas: 1
  template:
    spec:
      hostUsers: false
      securityContext:
        seccompProfile:
          type: RuntimeDefault
        runAsNonRoot: true
        runAsUser: 70
        runAsGroup: 70
      initContainers:
        - name: volume-permissions
          image: busybox
          command: ["chown", "-c", "70:70", "/var/lib/postgresql/data", "/run/postgresql"]
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
              drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
            runAsUser: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
          volumeMounts:
            - name: postgresql-storage
              mountPath: /var/lib/postgresql/data
            - name: tmpfs-run
              mountPath: /run/postgresql
        - name: kickstart-db
          image: redxen.eu/daemons/postgres:latest
          imagePullPolicy: IfNotPresent
          command: ["/usr/libexec/init.sh"]
          securityContext:
            capabilities:
              drop: ["ALL"]
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
          volumeMounts:
            - name: postgresql-storage
              mountPath: /var/lib/postgresql/data
            - name: tmpfs-run
              mountPath: /run/postgresql
      containers:
        - name: postgresql
          image: redxen.eu/daemons/postgres:latest
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
              drop: ["ALL"]
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
          volumeMounts:
            - name: postgresql-storage
              mountPath: /var/lib/postgresql/data
            - name: tmpfs-run
              mountPath: /run/postgresql
          ports:
            - containerPort: 5432
      volumes:
        - name: postgresql-storage
          persistentVolumeClaim:
            claimName: postgresql-pvc
            readOnly: false
        - name: tmpfs-run
          emptyDir:
            medium: Memory
            sizeLimit: 2Mi