# Example deployment compliant with BASELINE Pod Security Standard
# Suitable for most application workloads
apiVersion: apps/v1
kind: Deployment
metadata:
  name: standard-app
  namespace: baseline-apps
  labels:
    app: standard-app
    security.kubernetes.io/compliant: "baseline"
spec:
  replicas: 2
  selector:
    matchLabels:
      app: standard-app
  template:
    metadata:
      labels:
        app: standard-app
    spec:
      # Baseline allows running as root, but we still recommend non-root
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault

      containers:
        - name: app
          image: nginx:1.27
          ports:
            - containerPort: 80
              protocol: TCP

          securityContext:
            allowPrivilegeEscalation: false
            # Baseline allows writable root filesystem
            # readOnlyRootFilesystem: false  # default
            capabilities:
              drop:
                - ALL
              add:
                # Baseline allows these capabilities
                - NET_BIND_SERVICE
                - CHOWN
                - SETGID
                - SETUID

          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 256Mi

          livenessProbe:
            httpGet:
              path: /
              port: 80
            initialDelaySeconds: 10
            periodSeconds: 10

          readinessProbe:
            httpGet:
              path: /
              port: 80
            initialDelaySeconds: 5
            periodSeconds: 5

      # Service account with minimal permissions
      serviceAccountName: default
      automountServiceAccountToken: false