explicitly set run as user/group in addons that set this config in their dockerfile

2025-09-15 14:14:39 +00:00 · 2018-11-13 16:42:04 -08:00
parent 98c468de8d
commit 8bcb178da3
10 changed files with 44 additions and 14 deletions
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-deployment.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-deployment.yaml
@@ -17,19 +17,22 @@ spec:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      priorityClassName: system-cluster-critical
+      securityContext:
+        supplementalGroups: [ 65534 ]
+        fsGroup: 65534
      containers:
-        - image: k8s.gcr.io/cluster-proportional-autoscaler-amd64:1.1.2-r2
-          name: autoscaler
-          command:
-            - /cluster-proportional-autoscaler
-            - --namespace=kube-system
-            - --configmap=calico-typha-horizontal-autoscaler
-            - --target=deployment/calico-typha
-            - --logtostderr=true
-            - --v=2
-          resources:
-            requests:
-              cpu: 10m
-            limits:
-              cpu: 10m
+      - image: k8s.gcr.io/cluster-proportional-autoscaler-amd64:1.1.2-r2
+        name: autoscaler
+        command:
+          - /cluster-proportional-autoscaler
+          - --namespace=kube-system
+          - --configmap=calico-typha-horizontal-autoscaler
+          - --target=deployment/calico-typha
+          - --logtostderr=true
+          - --v=2
+        resources:
+          requests:
+            cpu: 10m
+          limits:
+            cpu: 10m
      serviceAccountName: typha-cpha