apiVersion: apps/v1
kind: StatefulSet
metadata:
  labels:
    app: buildkitd
  name: buildkitd
spec:
  serviceName: buildkitd
  podManagementPolicy: Parallel
  replicas: 1
  selector:
    matchLabels:
      app: buildkitd
  template:
    metadata:
      labels:
        app: buildkitd
      annotations:
        container.apparmor.security.beta.kubernetes.io/buildkitd: unconfined
        container.seccomp.security.alpha.kubernetes.io/buildkitd: unconfined
# see buildkit/docs/rootless.md for caveats of rootless mode
    spec:
      containers:
      - name: buildkitd
        image: moby/buildkit:master-rootless
        args:
        - --oci-worker-no-process-sandbox
        readinessProbe:
          exec:
            command:
            - buildctl 
            - debug 
            - workers
          initialDelaySeconds: 5
          periodSeconds: 30
        livenessProbe:
          exec:
            command:
            - buildctl 
            - debug 
            - workers
          initialDelaySeconds: 5
          periodSeconds: 30
        securityContext:
# To change UID/GID, you need to rebuild the image
          runAsUser: 1000
          runAsGroup: 1000