apiVersion: v1
kind: Pod
metadata:
  name: nginx-untrusted
  labels:
    run: nginx
    untrusted: "true"
  annotations:
    io.kubernetes.cri.untrusted-workload: "true"
spec:
  containers:
  - name: nginx
    image: nginx