precreate tmp folders in nginx container

deploy/prod-pod.yml

@@ -144,22 +144,31 @@ spec:
 
   - name: nginx
     image: docker.io/nginx:alpine
+    command: ["/bin/sh"]
+    args:
+      - "-c"
+      - |
+        mkdir -p /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp;
+        chmod 777 /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp;
+        exec nginx -g 'daemon off;'
     # Security: drop all capabilities, read-only root filesystem
     securityContext:
       readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
       capabilities:
         drop: ["ALL"]
-      runAsUser: 0  # Run as root
-      runAsGroup: 0 # Run as root group
+      runAsNonRoot: true
+      runAsUser: 1000
+      runAsGroup: 1000
     ports:
       - containerPort: 8080           # inside pod
-        hostIP: 127.0.0.1             # only loopback on host
       - containerPort: 8090           # health inside pod (not exposed)
     volumeMounts:
       - { name: nginx-run,   mountPath: /var/run,              readOnly: false }
       - { name: nginx-cache, mountPath: /var/cache/nginx,      readOnly: false }
       - { name: nginx-conf,  mountPath: /etc/nginx/nginx.conf, readOnly: true, subPath: nginx.conf }
+      - name: nginx-tmp
+        mountPath: /tmp
     # Health check
     livenessProbe:
       httpGet: { path: /healthz, port: 8090, scheme: HTTP }
@@ -192,3 +201,6 @@ spec:
     hostPath: { path: /opt/sharenet/volumes/nginx-cache, type: DirectoryOrCreate }
   - name: nginx-conf
     hostPath: { path: /opt/sharenet/nginx, type: Directory }
+  - name: nginx-tmp
+    emptyDir: 
+      medium: Memory  # Uses tmpfs for better performance