apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: pomerium
spec:
  template:
    spec:
      securityContext:
        fsGroup: 1000
        runAsNonRoot: true
        runAsGroup: 1000
        runAsUser: 1000
        sysctls:
          - name: net.ipv4.ip_unprivileged_port_start
            value: "80"
      containers:
        - name: pomerium
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL