apiVersion: apps/v1 kind: Deployment metadata: name: modelrt labels: app: modelrt spec: replicas: 1 selector: matchLabels: app: modelrt template: metadata: labels: app: modelrt spec: containers: - name: modelrt image: modelrt:v1 imagePullPolicy: IfNotPresent command: ["/app/modelrt"] args: - "-modelRT_config_dir=/app/configs" - "-modelRT_config_name=config" - "-modelRT_config_type=yaml" ports: - containerPort: 8080 env: # Downward API — injected into every log line by logger/zap.go containerFields() - name: K8S_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: K8S_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName # HOSTNAME is set automatically by K8s to the pod name # Sensitive values injected from Secret so they stay out of ConfigMap - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: modelrt-secret key: postgres-password - name: SERVICE_SECRET_KEY valueFrom: secretKeyRef: name: modelrt-secret key: secret-key volumeMounts: - name: config mountPath: /app/configs/config.yaml subPath: config.yaml readOnly: true - name: certs mountPath: /app/configs/certs readOnly: true resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi securityContext: runAsUser: 1000 runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL livenessProbe: tcpSocket: port: 8080 initialDelaySeconds: 10 periodSeconds: 30 failureThreshold: 3 readinessProbe: tcpSocket: port: 8080 initialDelaySeconds: 5 periodSeconds: 10 failureThreshold: 3 volumes: - name: config configMap: name: modelrt-config - name: certs secret: secretName: modelrt-certs