apiVersion: v1 kind: Namespace metadata: name: medical-ai labels: name: medical-ai compliance: hipaa --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: medical-ai-default-deny namespace: medical-ai spec: podSelector: {} policyTypes: ["Ingress","Egress"] egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: UDP port: 53 - protocol: TCP port: 53 --- apiVersion: apps/v1 kind: Deployment metadata: name: ai-service namespace: medical-ai spec: replicas: 2 selector: matchLabels: app: ai-service template: metadata: labels: app: ai-service spec: securityContext: runAsNonRoot: true runAsUser: 1001 fsGroup: 1001 seccompProfile: type: RuntimeDefault containers: - name: ai-service image: your-registry/ai-service:latest ports: - containerPort: 7860 name: http securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: ["ALL"] env: - name: DATABASE_URL valueFrom: secretKeyRef: name: medical-ai-secrets key: DATABASE_URL - name: REDIS_URL valueFrom: secretKeyRef: name: medical-ai-secrets key: REDIS_URL - name: SECRET_KEY valueFrom: secretKeyRef: name: medical-ai-secrets key: SECRET_KEY - name: JWT_SECRET_KEY valueFrom: secretKeyRef: name: medical-ai-secrets key: JWT_SECRET_KEY readinessProbe: httpGet: path: /health/ready port: http initialDelaySeconds: 20 livenessProbe: httpGet: path: /health/live port: http initialDelaySeconds: 30 volumeMounts: - name: tmp mountPath: /tmp - name: uploads mountPath: /app/uploads - name: models mountPath: /app/models resources: requests: cpu: "500m" memory: "2Gi" limits: cpu: "2000m" memory: "4Gi" volumes: - name: tmp emptyDir: {} - name: uploads emptyDir: {} - name: models emptyDir: {} --- apiVersion: v1 kind: Service metadata: name: ai-service namespace: medical-ai spec: selector: app: ai-service ports: - port: 80 targetPort: http