apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: buildkitd
  name: buildkitd
spec:
  replicas: 1
  selector:
    matchLabels:
      app: buildkitd
  template:
    metadata:
      labels:
        app: buildkitd
      annotations:
        container.apparmor.security.beta.kubernetes.io/buildkitd: unconfined
        container.seccomp.security.alpha.kubernetes.io/buildkitd: unconfined
# see buildkit/docs/rootless.md for caveats of rootless mode
    spec:
      containers:
      - name: buildkitd
        image: moby/buildkit:master-rootless
        args:
        - --addr
        - unix:///run/user/1000/buildkit/buildkitd.sock
        - --addr
        - tcp://0.0.0.0:1234
        - --tlscacert
        - /certs/ca.pem
        - --tlscert
        - /certs/cert.pem
        - --tlskey
        - /certs/key.pem
        - --oci-worker-no-process-sandbox
# the probe below will only work after Release v0.6.3        
        readinessProbe:
          exec:
            command:
            - buildctl 
            - debug 
            - workers
          initialDelaySeconds: 5
          periodSeconds: 30
# the probe below will only work after Release v0.6.3        
        livenessProbe:
          exec:
            command:
            - buildctl 
            - debug 
            - workers
          initialDelaySeconds: 5
          periodSeconds: 30        
        securityContext:
# To change UID/GID, you need to rebuild the image
          runAsUser: 1000
          runAsGroup: 1000
        ports:
        - containerPort: 1234
        volumeMounts:
        - name: certs
          readOnly: true
          mountPath: /certs
      volumes:
# buildkit-daemon-certs must contain ca.pem, cert.pem, and key.pem
      - name: certs
        secret:
          secretName: buildkit-daemon-certs
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: buildkitd
  name: buildkitd
spec:
  ports:
  - port: 1234
    protocol: TCP
  selector:
    app: buildkitd