apiVersion: batch/v1 kind: CronJob metadata: name: updatebot labels: &labels app.kubernetes.io/name: updatebot spec: schedule: 32 6 * * 6 timeZone: America/Chicago concurrencyPolicy: Forbid jobTemplate: spec: template: metadata: labels: *labels spec: restartPolicy: Never containers: - name: updatebot image: git.pyrocufflink.net/infra/updatebot imagePullPolicy: Always securityContext: readOnlyRootFilesystem: true volumeMounts: - mountPath: /etc/ssh/ssh_known_hosts name: ssh-known-hosts readOnly: true subPath: ssh_known_hosts - mountPath: /home/bot/.config/updatebot name: updatebot-config readOnly: true - mountPath: /home/bot/.ssh name: updatebot-ssh readOnly: true - mountPath: /run/secrets/updatebot name: updatebot-secrets readOnly: true - mountPath: /tmp name: tmp subPath: tmp - mountPath: /usr/bin/diff name: diff readOnly: true - mountPath: /usr/bin/kubectl name: kubectl readOnly: true nodeSelector: kubernetes.io/arch: amd64 securityContext: runAsNonRoot: true fsGroup: 25167 serviceAccountName: updatebot volumes: - name: diff hostPath: path: /usr/bin/diff type: File - name: kubectl hostPath: path: /usr/bin/kubectl type: File - name: ssh-known-hosts configMap: name: ssh-known-hosts - name: tmp emptyDir: medium: Memory - name: updatebot-config configMap: name: updatebot-projects - name: updatebot-secrets secret: secretName: updatebot defaultMode: 0640 - name: updatebot-ssh secret: secretName: updatebot-ssh defaultMode: 0640