infra/k8s/secure_deployment.yaml

apiVersion: v1
kind: Namespace
metadata: { name: medical-ai, labels: { name: medical-ai, compliance: hipaa } }
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: { name: medical-ai-default-deny, namespace: medical-ai }
spec:
  podSelector: {}
  policyTypes: ["Ingress","Egress"]
  egress:
  - to: [ { namespaceSelector: { matchLabels: { kubernetes.io/metadata.name: kube-system } } } ]
    ports: [ { protocol: UDP, port: 53 }, { protocol: TCP, port: 53 } ]
---
apiVersion: apps/v1
kind: Deployment
metadata: { name: medical-ai-service, namespace: medical-ai }
spec:
  replicas: 2
  selector: { matchLabels: { app: medical-ai-service } }
  template:
    metadata:
      labels: { app: medical-ai-service }
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "7860"
        prometheus.io/path: "/metrics"
    spec:
      securityContext: { runAsNonRoot: true, runAsUser: 1001, fsGroup: 1001, seccompProfile: { type: RuntimeDefault } }
      containers:
      - name: ai
        image: ghcr.io/example/medical-ai-service:1.0.0
        ports: [ {containerPort: 7860, name: http} ]
        securityContext: { allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, runAsNonRoot: true, capabilities: { drop: ["ALL"] } }
        env:
        - { name: DATABASE_URL, valueFrom: { secretKeyRef: { name: medical-ai-secrets, key: DATABASE_URL } } }
        - { name: REDIS_URL, valueFrom: { secretKeyRef: { name: medical-ai-secrets, key: REDIS_URL } } }
        - { name: SECRET_KEY, valueFrom: { secretKeyRef: { name: medical-ai-secrets, key: SECRET_KEY } } }
        - { name: JWT_SECRET_KEY, valueFrom: { secretKeyRef: { name: medical-ai-secrets, key: JWT_SECRET_KEY } } }
        readinessProbe: { httpGet: { path: /health/ready, port: http }, initialDelaySeconds: 20 }
        livenessProbe: { httpGet: { path: /health/live, port: http }, initialDelaySeconds: 30 }
        volumeMounts: [ { name: tmp, mountPath: /tmp }, { name: uploads, mountPath: /app/uploads }, { name: models, mountPath: /app/models } ]
        resources: { requests: { cpu: "1", memory: "4Gi" }, limits: { cpu: "4", memory: "8Gi" } }
      volumes: [ { name: tmp, emptyDir: {} }, { name: uploads, emptyDir: {} }, { name: models, emptyDir: {} } ]
---
apiVersion: v1
kind: Service
metadata: { name: medical-ai-service, namespace: medical-ai }
spec: { selector: { app: medical-ai-service }, ports: [ { port: 80, targetPort: http } ] }
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: medical-ai-hpa
  namespace: medical-ai
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: medical-ai-service
  minReplicas: 2
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80