---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ghostcms
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: ghostcms
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ghostcms
    spec:
      containers:
      - name: ghostcms
        image: ghostcms
        ports:
        - containerPort: 2368
        env:
          - name: NODE_ENV
            value: production
        envFrom:
          - secretRef:
              name: ghostcms-base-config
          - secretRef:
              name: ghostcms-secret-config
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          capabilities:
            drop:
              - ALL
          privileged: false
          runAsUser: 1000
          runAsGroup: 1000
        resources:
          limits:
            memory: "384Mi"
            cpu: "100m"