mirror of
https://github.com/ghndrx/k8s-manifests.git
synced 2026-02-10 06:45:09 +00:00
Greg Hendrickson
ef86c1a6c7
- Namespace with Pod Security Standards restricted enforcement - Deployment with full security context (non-root, read-only fs, no caps) - Resource limits, health probes, topology spread - Service and comprehensive README - Kustomize structure for overlay-based customization
Deployment Base Template
Production-ready Kubernetes deployment with Pod Security Standards (PSS) restricted compliance.
Security Features
This template enforces the most restrictive Pod Security Standard:
- ✅ Non-root execution - Pods run as UID 1000
- ✅ Read-only root filesystem - Prevents runtime modifications
- ✅ No privilege escalation -
allowPrivilegeEscalation: false - ✅ All capabilities dropped - Minimal Linux capabilities
- ✅ Seccomp profile - RuntimeDefault seccomp filtering
- ✅ Resource limits - CPU and memory constraints
Usage
Deploy directly
kubectl apply -k .
Use as a base with overlays
# overlays/production/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patches:
- path: replicas-patch.yaml
Customization Points
| Field | Default | Description |
|---|---|---|
replicas |
2 | Number of pod replicas |
image |
nginx:1.27-alpine | Container image |
resources.requests.cpu |
100m | CPU request |
resources.requests.memory |
128Mi | Memory request |
resources.limits.cpu |
500m | CPU limit |
resources.limits.memory |
256Mi | Memory limit |
Pod Security Standards Reference
The namespace is configured with PSS labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Health Probes
- Liveness:
/healthz- Restart if unhealthy - Readiness:
/ready- Remove from service if not ready - Startup:
/healthz- Allow up to 150s for startup