security-context.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: a-deployment-1
  labels:
    name: my-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-deployment
  template:
    metadata:
      labels:
        app: my-deployment
    spec:
      securityContext:
        runAsUser: 5005
        runAsGroup: 5005
        fsGroup: 5005
      initContainers:
      - name: prep-symlink
        image: busybox
        imagePullPolicy: Never
        env:
          - name: NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
        securityContext:
          allowPrivilegeEscalation: true
        command: ["bin/sh", "-ec", "mkdir /mnt/data/$(NAME); chown -R 5005:5005 /mnt/data/$(NAME)"]
        volumeMounts:
        - name: my-volume
          mountPath: /mnt/data
      containers:
      - name: my-container
        image: localhost:32000/busy-box-appuser:latest
        imagePullPolicy: Never
        env:
          - name: NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
        command: ["/bin/sh", "-ec", "ls /mnt/data; sleep 999999"]
        volumeMounts:
        - mountPath: /mnt/data
          name: my-volume
          subPathExpr: $(NAME)
        securityContext:
          allowPrivilegeEscalation: false
      volumes:
      - name: my-volume
        hostPath:
          path: /data