diff --git a/.claude/settings.local.json b/.claude/settings.local.json
new file mode 100644
index 0000000..abac890
--- /dev/null
+++ b/.claude/settings.local.json
@@ -0,0 +1,8 @@
+{
+  "permissions": {
+    "allow": [
+      "mcp__context7__resolve-library-id",
+      "mcp__context7__query-docs"
+    ]
+  }
+}
diff --git a/helm/nginx/templates/deployment.yaml b/helm/nginx/templates/deployment.yaml
index ab0591d..9d9f90f 100644
--- a/helm/nginx/templates/deployment.yaml
+++ b/helm/nginx/templates/deployment.yaml
@@ -1,22 +1,31 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: { { include "nginx.fullname" . } }
+  name: {{ include "nginx.fullname" . }}
   labels:
-    app: { { include "nginx.name" . } }
+    app: {{ include "nginx.name" . }}
 spec:
-  replicas: { { .Values.replicaCount } }
+  replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
-      app: { { include "nginx.name" . } }
+      app: {{ include "nginx.name" . }}
   template:
     metadata:
       labels:
-        app: { { include "nginx.name" . } }
+        app: {{ include "nginx.name" . }}
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: nginx
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: { { .Values.image.pullPolicy } }
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           ports:
-            - containerPort: 80
+            - containerPort: 8080
diff --git a/helm/nginx/templates/service.yaml b/helm/nginx/templates/service.yaml
index e0b39cc..b00c093 100644
--- a/helm/nginx/templates/service.yaml
+++ b/helm/nginx/templates/service.yaml
@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: { { include "nginx.fullname" . } }
+  name: {{ include "nginx.fullname" . }}
 spec:
-  type: { { .Values.service.type } }
+  type: {{ .Values.service.type }}
   ports:
-    - port: { { .Values.service.port } }
-      targetPort: 80
+    - port: {{ .Values.service.port }}
+      targetPort: 8080
   selector:
-    app: { { include "nginx.name" . } }
+    app: {{ include "nginx.name" . }}
diff --git a/image/Dockerfile b/image/Dockerfile
index 02907f6..4d38882 100644
--- a/image/Dockerfile
+++ b/image/Dockerfile
@@ -1,2 +1,5 @@
 FROM nginx:1.25-alpine
 COPY nginx.conf /etc/nginx/nginx.conf
+RUN chown -R nginx:nginx /var/cache/nginx /var/log/nginx /etc/nginx
+USER nginx
+EXPOSE 8080
diff --git a/image/nginx.conf b/image/nginx.conf
index 995762a..5ec669b 100644
--- a/image/nginx.conf
+++ b/image/nginx.conf
@@ -1,7 +1,17 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+
 events {}
+
 http {
+    client_body_temp_path /tmp/client_body;
+    proxy_temp_path /tmp/proxy;
+    fastcgi_temp_path /tmp/fastcgi;
+    uwsgi_temp_path /tmp/uwsgi;
+    scgi_temp_path /tmp/scgi;
+
     server {
-        listen 80;
+        listen 8080;
         location / {
             return 200 'Hello from custom nginx!';
         }
diff --git a/policies/kyverno-image-signature-policy.yaml b/policies/kyverno-image-signature-policy.yaml
index 6c8175f..d220f7f 100644
--- a/policies/kyverno-image-signature-policy.yaml
+++ b/policies/kyverno-image-signature-policy.yaml
@@ -4,21 +4,22 @@ metadata:
   name: require-image-signature
 spec:
   validationFailureAction: Enforce
+  background: false
   rules:
-    - name: verify-image-signature
-      match:
-        resources:
-          kinds:
-            - Pod
-      include:
-        resources:
-          namespaces:
-            - cosign-test
-      verifyImages:
-        - image: "git.ntk.novotelecom.ru/adm/docker-trust*"
-          key: "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1kmEd1dzkY0MLMhNlkPz8LbX70tdw5acXoKYvOGzcTUK4jppKBCLst121UMC0L5DcgqNE9uly0S78aE8pbIxpBSgVdM8NPRa90vGTi50rauzOGiVRSxOzmkh3BVErqga84U9xb8QmS28rwjdSCbZSx27quzkDrvHwrfid5DroCSkNFQo7Bb84jlgTbrV5KwXkd7G5bMB3qaAzIpBQH+LbKn8/76rlU9/NfUpzftFdOwVVOWQIC7PYU8z2cKI9C+Su+MkrozuGSLrR/Z/urCK9xibrUzRMX7N2v5ORXGhili4pFJG7asxQjPzl2a23iYGkt8c5egxlXWFk4zrVnmawIDAQAB-----END PUBLIC KEY-----"
-          attestors:
-            - entries:
-                - keyless:
-                    subject: "*"
-                    issuer: "*"
+  - name: check-image-signature
+    match:
+      any:
+        - resources:
+            kinds: [Pod]
+            namespaces: ["cosign-test"]
+    verifyImages:
+      - imageReferences:
+          - "git.realmanual.ru/pub/*"
+        attestors:
+          - entries:
+              - keys:
+                  publicKeys: |-
+                    -----BEGIN PUBLIC KEY-----
+                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZZ/9MbR3WZg9K/pk936vukFjeWVt
+                    2oMpW4OmElpIq1aH3jZIA03Hwm7FVdhyumb1vPu5k0DOV8RX4UIs6rkhzA==
+                    -----END PUBLIC KEY-----