apiVersion: apps/v1 kind: StatefulSet metadata: name: thelounge labels: app.kubernetes.io/name: thelounge app.kubernetes.io/instance: thelounge annotations: polaris.fairwinds.com/tagNotSpecified-exempt: "true" polaris.fairwinds.com/topologySpreadConstraint-exempt: "true" spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: thelounge app.kubernetes.io/instance: thelounge template: metadata: labels: app.kubernetes.io/name: thelounge app.kubernetes.io/instance: thelounge spec: priorityClassName: low-priority automountServiceAccountToken: false securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault initContainers: - name: fix-permissions image: busybox:1.37 command: ["sh", "-c", "chown -R 1000:1000 /var/opt/thelounge"] volumeMounts: - name: config mountPath: /var/opt/thelounge securityContext: runAsNonRoot: false runAsUser: 0 resources: limits: cpu: 100m memory: 64Mi containers: - name: thelounge image: ghcr.io/thelounge/thelounge:latest securityContext: allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 capabilities: drop: - ALL seccompProfile: type: RuntimeDefault ports: - containerPort: 9000 name: http-9000 volumeMounts: - name: config mountPath: /var/opt/thelounge resources: requests: cpu: "100m" memory: "256Mi" ephemeral-storage: "1Gi" limits: cpu: "500m" memory: "512Mi" ephemeral-storage: "2Gi" livenessProbe: httpGet: path: / port: 9000 initialDelaySeconds: 20 periodSeconds: 10 timeoutSeconds: 1 failureThreshold: 3 readinessProbe: tcpSocket: port: 9000 initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 failureThreshold: 3 volumeClaimTemplates: - metadata: name: config spec: storageClassName: ceph-block accessModes: - ReadWriteOnce resources: requests: storage: 4Gi