# Run SingleStore with Volume Mounts and Restricted Pod Security

To run SingleStore within a restricted security context, the `aggregatorSpec`, `leafSpec`, and `backupSpec` all support a `securityContext` field for overriding the pod security context to meet Kubernetes requirements. Additionally, the `nodeVolumes` field allows for mounting arbitrary volumes which, in this example, is required to allow writing to the `/tmp` directory.

```yaml
aggregatorSpec:
  nodeVolumes:
    volumeMounts:
    - mountPath: /tmp
      name: tmp
    volumes:
    - emptyDir: {}
      name: tmp
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 999
    seccompProfile:
      type: RuntimeDefault
```

```yaml
backupSpec:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 999
    seccompProfile:
      type: RuntimeDefault
```

Add the following to the container in the Operator deployment to allow it to meet the restricted security requirements.

```yaml
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 10001
```

Refer to [Enforce Pod Security Standards with Namespace Labels](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/) for more information.

***

Modified at: August 2, 2024

Source: [/db/v9.1/reference/singlestore-operator-reference/run-singlestore-with-volume-mounts-and-restricted-pod-security/](https://docs.singlestore.com/db/v9.1/reference/singlestore-operator-reference/run-singlestore-with-volume-mounts-and-restricted-pod-security/)

(An index of the documentation is available at /llms.txt)