# Math Exercises Application - Kubernetes Deployment

This directory contains the Kubernetes deployment configuration for the Math Exercises application, with security best practices applied.

## Directory Structure

```
deploy/
├── base/                 # Base kustomize configuration
│   ├── deployment.yaml      # Application deployment
│   ├── service.yaml         # Internal service
│   ├── ingress.yaml         # External access configuration
│   ├── network-policy.yaml  # Network security policies
│   ├── configmap.yaml       # Application configuration
│   ├── pod-disruption-budget.yaml  # High availability
│   └── kustomization.yaml   # Base kustomize file
├── overlays/             # Environment-specific configurations
│   ├── development/         # Development environment
│   │   ├── deployment-patch.yaml   # Dev-specific deployment settings
│   │   └── kustomization.yaml      # Dev kustomize file
│   └── production/          # Production environment
│       ├── deployment-patch.yaml   # Prod-specific deployment settings
│       ├── security-patch.yaml     # Additional security settings
│       └── kustomization.yaml      # Prod kustomize file
└── SECURITY_CHECKLIST.md    # Security implementation checklist
```

## Security Features Implemented

The deployment implements the following security best practices:

1. **Pod Security**:
   - Non-root user execution
   - ReadOnly root filesystem
   - Disabled privilege escalation
   - Minimal container capabilities
   - Seccomp profiles

2. **Network Security**:
   - Network policies restricting traffic
   - TLS-enforced ingress with security headers
   - Internal service exposure only

3. **Configuration Security**:
   - ConfigMaps for configuration separation
   - Resource limits and requests
   - Health checks with appropriate timeouts

4. **Operational Security**:
   - PodDisruptionBudget for high availability
   - Environment-specific configurations
   - Versioned image tags

## Deployment Instructions

### Development Environment

```bash
kubectl apply -k deploy/overlays/development
```

### Production Environment

```bash
kubectl apply -k deploy/overlays/production
```

## Security Verification

To verify security settings are properly applied:

```bash
# Check security context
kubectl get deployment math-exercises-app -o jsonpath='{.spec.template.spec.containers[0].securityContext}'

# Check network policies
kubectl get networkpolicy

# Check resource limits
kubectl get deployment math-exercises-app -o jsonpath='{.spec.template.spec.containers[0].resources}'
```

See `SECURITY_CHECKLIST.md` for a comprehensive list of implemented security measures.