From 5d8c89b1644507acf72d9fe81cbaf5a8bc2d95bd Mon Sep 17 00:00:00 2001
From: Vinayak Goyal <vinaygo@google.com>
Date: Thu, 15 Apr 2021 15:32:39 -0700
Subject: [PATCH] Run control-plane as non root in kube-up.

---
 cluster/gce/util.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index ff4084b7f59..d414248a51c 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -1355,6 +1355,18 @@ ETCD_PEER_KEY: $(yaml-quote "${ETCD_PEER_KEY_BASE64:-}")
 ETCD_PEER_CERT: $(yaml-quote "${ETCD_PEER_CERT_BASE64:-}")
 SERVICEACCOUNT_ISSUER: $(yaml-quote "${SERVICEACCOUNT_ISSUER:-}")
 KUBECTL_PRUNE_WHITELIST_OVERRIDE: $(yaml-quote "${KUBECTL_PRUNE_WHITELIST_OVERRIDE:-}")
+KUBE_SCHEDULER_RUNASUSER: 2001
+KUBE_SCHEDULER_RUNASGROUP: 2001
+KUBE_ADDON_MANAGER_RUNASUSER: 2002
+KUBE_ADDON_MANAGER_RUNASGROUP: 2002
+KUBE_CONTROLLER_MANAGER_RUNASUSER: 2003
+KUBE_CONTROLLER_MANAGER_RUNASGROUP: 2003
+KUBE_API_SERVER_RUNASUSER: 2004
+KUBE_API_SERVER_RUNASGROUP: 2004
+KUBE_PKI_READERS_GROUP: 2005
+ETCD_RUNASUSER: 2006
+ETCD_RUNASGROUP: 2006
+KUBE_POD_LOG_READERS_GROUP: 2007
 EOF
     # KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout
     # flag