apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: coturn
spec:
  template:
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      containers:
        - name: "coturn"
          image: coturn/coturn
          args: ["-c", "/config/turnserver.conf"]
          ports:
            - name: turn-3478
              containerPort: 3478
              protocol: UDP
            - name: turn-49152
              containerPort: 49152
              hostPort: 49152
              protocol: UDP
            - name: turn-49153
              containerPort: 49153
              hostPort: 49153
              protocol: UDP
            - name: turn-49154
              containerPort: 49154
              hostPort: 49154
              protocol: UDP
            - name: turn-49155
              containerPort: 49155
              hostPort: 49155
              protocol: UDP
            - name: turn-49156
              containerPort: 49156
              hostPort: 49156
              protocol: UDP
            - name: turn-49157
              containerPort: 49157
              hostPort: 49157
              protocol: UDP
            - name: turn-49158
              containerPort: 49158
              hostPort: 49158
              protocol: UDP
          volumeMounts:
            - name: config
              mountPath: /config/turnserver.conf
              subPath: turnserver.conf
              readOnly: true
            - name: var-tmp
              mountPath: /var/tmp
          securityContext:
            capabilities:
              # https://github.com/coturn/coturn/issues/994
              add:
                - NET_BIND_SERVICE
              drop:
                - ALL
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
      volumes:
        - name: config
          secret:
            secretName: coturn
        - name: var-tmp
          emptyDir: {}