apiVersion: apps/v1 kind: Deployment metadata: name: k8s-mgmt-pod spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: k8s-mgmt-pod template: metadata: labels: app.kubernetes.io/name: k8s-mgmt-pod spec: serviceAccountName: k8s-mgmt-pod automountServiceAccountToken: true securityContext: seccompProfile: type: RuntimeDefault containers: - name: k8s-mgmt-pod # Replace this placeholder with a pinned tag or digest in production. image: ghcr.io///k8s-mgmt-pod:latest imagePullPolicy: IfNotPresent ports: - name: ssh containerPort: 22 protocol: TCP - name: webssh containerPort: 3000 protocol: TCP env: - name: ADMIN_SSH_PUBKEY valueFrom: secretKeyRef: name: k8s-mgmt-pod-auth key: ADMIN_SSH_PUBKEY optional: true - name: USER_SSH_PUBKEY valueFrom: secretKeyRef: name: k8s-mgmt-pod-auth key: USER_SSH_PUBKEY optional: true - name: ADMIN_PASSWORD valueFrom: secretKeyRef: name: k8s-mgmt-pod-auth key: ADMIN_PASSWORD optional: true - name: USER_PASSWORD valueFrom: secretKeyRef: name: k8s-mgmt-pod-auth key: USER_PASSWORD optional: true resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 512Mi readinessProbe: tcpSocket: port: 22 initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: tcpSocket: port: 22 initialDelaySeconds: 15 periodSeconds: 20 volumeMounts: - name: state mountPath: /var/lib/k8s-mgmt-pod securityContext: # sshd still runs as root here because it needs to bind port 22 and switch to the authenticated user session. # The tradeoff is deliberate: keep the container functional, then narrow capabilities instead of forcing a fragile rootless sshd setup. runAsUser: 0 runAsGroup: 0 runAsNonRoot: false allowPrivilegeEscalation: false readOnlyRootFilesystem: false capabilities: drop: ["ALL"] add: ["CHOWN", "DAC_OVERRIDE", "FOWNER", "NET_BIND_SERVICE", "SETGID", "SETUID"] volumes: - name: state emptyDir: {}