apiVersion: v1
kind: Pod
metadata:
  name: valtrix-site
spec:
  containers:
    - name: web
      image: localhost/valtrix-site:latest
      ports:
        - containerPort: 3000
      resources: {}
      # Read-only root filesystem is fine for static serving
      securityContext:
        readOnlyRootFilesystem: true
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]
  restartPolicy: Never