apiVersion: apps/v1 kind: Deployment metadata: name: testapp labels: app.kubernetes.io/name: testapp kubernetes.azure.com/generator: draft namespace: default spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: testapp template: metadata: labels: app.kubernetes.io/name: testapp azure.workload.identity/use: "true" spec: serviceAccountName: testsa containers: - name: testapp image: testimage:latest imagePullPolicy: Always ports: - containerPort: 80 resources: requests: cpu: "0.5" memory: "0.5Gi" limits: cpu: "1" memory: "1Gi" envFrom: - configMapRef: name: testapp-config - secretRef: name: secret-ref optional: true livenessProbe: tcpSocket: port: 80 readinessProbe: tcpSocket: port: 80 periodSeconds: 5 timeoutSeconds: 5 failureThreshold: 1 successThreshold: 1 initialDelaySeconds: 3 startupProbe: tcpSocket: port: 80 periodSeconds: 10 timeoutSeconds: 1 failureThreshold: 3 successThreshold: 1 initialDelaySeconds: 0 securityContext: seccompProfile: type: RuntimeDefault capabilities: drop: - ALL add: - SETPCAP - MKNOD - AUDIT_WRITE - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - KILL - SETGID - SETUID - NET_BIND_SERVICE - SYS_CHROOT - SETFCAP - SYS_PTRACE affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: topologyKey: kubernetes.io/hostname labelSelector: matchLabels: app.kubernetes.io/name: testapp topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: app.kubernetes.io/name: testapp