Hugging Face's logo

Spaces:
salvinjose
/
HNTAI
Paused

App Files Community
HNTAI / infra /k8s /secure_deployment.yaml
sachinchandrankallar's picture
sachinchandrankallar
changes for publishing the latest including generate_generic api
4156c57
Raw
History Blame Contribute Delete
2.96 kB
apiVersion: v1
kind: Namespace
metadata: { name: medical-ai, labels: { name: medical-ai, compliance: hipaa } }
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: { name: medical-ai-default-deny, namespace: medical-ai }
spec:
 podSelector: {}
 policyTypes: ["Ingress","Egress"]
 egress:
 - to: [ { namespaceSelector: { matchLabels: { kubernetes.io/metadata.name: kube-system } } } ]
 ports: [ { protocol: UDP, port: 53 }, { protocol: TCP, port: 53 } ]
---
apiVersion: apps/v1
kind: Deployment
metadata: { name: medical-ai-service, namespace: medical-ai }
spec:
 replicas: 2
 selector: { matchLabels: { app: medical-ai-service } }
 template:
 metadata:
 labels: { app: medical-ai-service }
 annotations:
 prometheus.io/scrape: "true"
 prometheus.io/port: "7860"
 prometheus.io/path: "/metrics"
 spec:
 securityContext: { runAsNonRoot: true, runAsUser: 1001, fsGroup: 1001, seccompProfile: { type: RuntimeDefault } }
 containers:
 - name: ai
 image: ghcr.io/example/medical-ai-service:1.0.0
 ports: [ {containerPort: 7860, name: http} ]
 securityContext: { allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, runAsNonRoot: true, capabilities: { drop: ["ALL"] } }
 env:
 - { name: DATABASE_URL, valueFrom: { secretKeyRef: { name: medical-ai-secrets, key: DATABASE_URL } } }
 - { name: REDIS_URL, valueFrom: { secretKeyRef: { name: medical-ai-secrets, key: REDIS_URL } } }
 - { name: SECRET_KEY, valueFrom: { secretKeyRef: { name: medical-ai-secrets, key: SECRET_KEY } } }
 - { name: JWT_SECRET_KEY, valueFrom: { secretKeyRef: { name: medical-ai-secrets, key: JWT_SECRET_KEY } } }
 readinessProbe: { httpGet: { path: /health/ready, port: http }, initialDelaySeconds: 20 }
 livenessProbe: { httpGet: { path: /health/live, port: http }, initialDelaySeconds: 30 }
 volumeMounts: [ { name: tmp, mountPath: /tmp }, { name: uploads, mountPath: /app/uploads }, { name: models, mountPath: /app/models } ]
 resources: { requests: { cpu: "1", memory: "4Gi" }, limits: { cpu: "4", memory: "8Gi" } }
 volumes: [ { name: tmp, emptyDir: {} }, { name: uploads, emptyDir: {} }, { name: models, emptyDir: {} } ]
---
apiVersion: v1
kind: Service
metadata: { name: medical-ai-service, namespace: medical-ai }
spec: { selector: { app: medical-ai-service }, ports: [ { port: 80, targetPort: http } ] }
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
 name: medical-ai-hpa
 namespace: medical-ai
spec:
 scaleTargetRef:
 apiVersion: apps/v1
 kind: Deployment
 name: medical-ai-service
 minReplicas: 2
 maxReplicas: 10
 metrics:
 - type: Resource
 resource:
 name: cpu
 target:
 type: Utilization
 averageUtilization: 70
 - type: Resource
 resource:
 name: memory
 target:
 type: Utilization
 averageUtilization: 80