ghndrx/k8s-manifests
1
0
Fork 0
mirror of https://github.com/ghndrx/k8s-manifests.git synced 2026-02-10 06:45:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
k8s-manifests/deployments/base/README.md
Greg Hendrickson ef86c1a6c7 feat(deployments): add PSS-restricted base template with Kustomize 
- Namespace with Pod Security Standards restricted enforcement
- Deployment with full security context (non-root, read-only fs, no caps)
- Resource limits, health probes, topology spread
- Service and comprehensive README
- Kustomize structure for overlay-based customization
2026-01-31 18:01:18 +00:00

62 lines
1.7 KiB
Markdown
Raw Permalink Blame History

# Deployment Base Template
Production-ready Kubernetes deployment with **Pod Security Standards (PSS) restricted** compliance.
## Security Features
This template enforces the most restrictive Pod Security Standard:
-**Non-root execution** - Pods run as UID 1000
-**Read-only root filesystem** - Prevents runtime modifications
-**No privilege escalation** - `allowPrivilegeEscalation: false`
-**All capabilities dropped** - Minimal Linux capabilities
-**Seccomp profile** - RuntimeDefault seccomp filtering
-**Resource limits** - CPU and memory constraints
## Usage
### Deploy directly
```bash
kubectl apply -k .
```
### Use as a base with overlays
```yaml
# overlays/production/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patches:
- path: replicas-patch.yaml
```
## Customization Points
| Field | Default | Description |
|-------|---------|-------------|
| `replicas` | 2 | Number of pod replicas |
| `image` | nginx:1.27-alpine | Container image |
| `resources.requests.cpu` | 100m | CPU request |
| `resources.requests.memory` | 128Mi | Memory request |
| `resources.limits.cpu` | 500m | CPU limit |
| `resources.limits.memory` | 256Mi | Memory limit |
## Pod Security Standards Reference
The namespace is configured with PSS labels:
```yaml
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
```
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
## Health Probes
- **Liveness**: `/healthz` - Restart if unhealthy
- **Readiness**: `/ready` - Remove from service if not ready
- **Startup**: `/healthz` - Allow up to 150s for startup
Reference in New Issue View Git Blame Copy Permalink