apiVersion: apps/v1
kind: Deployment
metadata:
  name: math-exercises-app
spec:
  template:
    spec:
      # Additional security context for production
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 2000
        # seccompProfile:
        #   type: RuntimeDefault
      containers:
      - name: math-exercises
        # Additional security settings for production
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 1000
          capabilities:
            drop:
              - ALL
            add:
              - NET_BIND_SERVICE
        # Environment variables from S3 credentials secret
        envFrom:
        - secretRef:
            name: s3-credentials