apiVersion: apps/v1 kind: Deployment metadata: name: eventrt labels: app: eventrt spec: replicas: 1 selector: matchLabels: app: eventrt template: metadata: labels: app: eventrt spec: containers: - name: eventrt image: eventrt:v1 imagePullPolicy: IfNotPresent command: ["/app/eventrt"] args: - "-eventRT_config_dir=/app/configs" - "-eventRT_config_name=config" - "-eventRT_config_type=yaml" ports: - containerPort: 8081 env: # Downward API — injected into every log line by logger - name: K8S_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: K8S_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName # HOSTNAME is set automatically by K8s to the pod name # Sensitive values injected from Secret so they stay out of ConfigMap - name: MONGODB_PASSWORD valueFrom: secretKeyRef: name: eventrt-secret key: mongodb-password - name: SERVICE_SECRET_KEY valueFrom: secretKeyRef: name: eventrt-secret key: secret-key volumeMounts: - name: config mountPath: /app/configs/config.yaml subPath: config.yaml readOnly: true - name: certs mountPath: /app/configs/certs readOnly: true resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi securityContext: runAsUser: 1000 runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL livenessProbe: tcpSocket: port: 8081 initialDelaySeconds: 10 periodSeconds: 30 failureThreshold: 3 readinessProbe: tcpSocket: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 failureThreshold: 3 volumes: - name: config configMap: name: eventrt-config - name: certs secret: secretName: eventrt-certs