---
apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
  - image: alpine:latest
    imagePullPolicy: IfNotPresent
    name: primary
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
  initContainers:
  - image: alpine:latest
    imagePullPolicy: IfNotPresent
    name: init1
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        add:
        - NET_ADMIN
        - NET_RAW
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 10001
      runAsNonRoot: true
      runAsUser: 10001
      seccompProfile:
        type: RuntimeDefault
  - image: busybox:latest
    imagePullPolicy: IfNotPresent
    name: init2
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        add:
        - SYS_TIME
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 10002
      runAsNonRoot: true
      runAsUser: 10002
      seccompProfile:
        type: RuntimeDefault