Changeset - c9e2108bb271
[Not reviewed]
default
0 1 0
drewp@bigasterisk.com - 2 years ago 2022-12-13 07:20:18
drewp@bigasterisk.com
pom deploy touchups
1 file changed with 2 insertions and 0 deletions:
0 comments (0 inline, 0 general)
20-kube/20-pom-deploy.yaml
Show inline comments
 
apiVersion: apps/v1
 
kind: Deployment
 
metadata:
 
  labels: { app.kubernetes.io/name: pomerium }
 
  name: pomerium
 
  namespace: pomerium
 
spec:
 
  replicas: 1
 
  strategy: {type: Recreate}
 
  selector:
 
    matchLabels: { app.kubernetes.io/name: pomerium }
 
  template:
 
    metadata:
 
      labels: { app.kubernetes.io/name: pomerium }
 
    spec:
 
      containers:
 
        - args:
 
            - all-in-one
 
            - --pomerium-config=global
 
            - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
 
            - --metrics-bind-address=$(POD_IP):9090
 
@@ -40,24 +41,25 @@ spec:
 
          resources:
 
            limits: { cpu: 5000m, memory: 1Gi }
 
            requests: { cpu: 300m, memory: 200Mi }
 
          securityContext:
 
            allowPrivilegeEscalation: false
 
            readOnlyRootFilesystem: true
 
            runAsGroup: 1000
 
            runAsNonRoot: true
 
            runAsUser: 1000
 
          volumeMounts:
 
            - { mountPath: /tmp, name: tmp }
 
            - { mountPath: /data/autocert, name: autocert }
 
            - { mountPath: /.local, name: autocert }
 
      nodeSelector:
 
        kubernetes.io/os: linux
 
      securityContext:
 
        runAsNonRoot: true
 
      serviceAccountName: pomerium-controller
 
      terminationGracePeriodSeconds: 10
 
      volumes:
 
        - { name: tmp, emptyDir: {} }
 
        - { name: autocert, persistentVolumeClaim: { claimName: autocert-data } }
 
      affinity:
 
        nodeAffinity:
 
          requiredDuringSchedulingIgnoredDuringExecution:
0 comments (0 inline, 0 general)