rossum/anydatacenter/30-policy-demo/postPolicy.tf

resource "kubernetes_deployment" "post_policy_sleeper" {
  metadata {
    name      = "post-policy-sleeper"
    namespace = kubernetes_namespace.rossum.metadata[0].name
    labels = {
      "app.kubernetes.io/name"    = "post-policy-sleeper"
      "app.kubernetes.io/version" = "v5"
    }
  }

  spec {
    replicas = 3

    selector {
      match_labels = {
        "app.kubernetes.io/name" = "post-policy-sleeper"
      }
    }

    template {
      metadata {
        labels = {
          "app.kubernetes.io/name" = "post-policy-sleeper"
        }
      }

      spec {
        container {
          name  = "sleepy"
          image = "busybox"
          command = [
            "sh",
            "-c",
            "while true; do sleep 60; done"
          ]
        }

        security_context {
          run_as_user  = 1000
          run_as_group = 1000
        }
      }
    }
  }

  lifecycle {
    ignore_changes = [
      # Injected by kyverno policy on create
      spec[0].template[0].spec[0].topology_spread_constraint
    ]
  }

  # Execute after the kyverno policy is in place
  depends_on = [kubernetes_manifest.kyverno_policy_topology_spread]
}