apiVersion: v1
kind: Pod
metadata:
  name: nginx-volumes-disallowed
  labels:
    app: nginx-volumes-disallowed
spec:
  securityContext:
    supplementalGroups:
      - 101
    fsGroup: 101
  containers:
    - name: nginx
      image: nginxinc/nginx-unprivileged:1.19
      resources:
        limits:
          cpu: 1
          memory: 1Gi
        requests:
          cpu: 1
          memory: 1Gi
      ports:
      - containerPort: 8080
        protocol: TCP
      securityContext:
        runAsUser: 101
        runAsGroup: 101
        capabilities:
          drop:
            - ALL
        allowPrivilegeEscalation: false
      readinessProbe:
          httpGet:
            scheme: HTTP
            path: /index.html
            port: 8080
      livenessProbe:
          httpGet:
            scheme: HTTP
            path: /index.html
            port: 8080
      volumeMounts:
      - mountPath: /cache
        name: cache-volume
  volumes:
  - name: cache-volume
    hostPath:
      path: /tmp # directory location on host
  - name: demo-vol
    emptyDir: {}