Run as non-root for kubernetes on VPA

Lujeni · Lujeni · commit 03d89f731224 · 2020-04-03T17:44:42.000Z
diff --git a/vertical-pod-autoscaler/deploy/admission-controller-deployment.yaml b/vertical-pod-autoscaler/deploy/admission-controller-deployment.yaml
@@ -15,6 +15,9 @@ spec:
         app: vpa-admission-controller
     spec:
       serviceAccountName: vpa-admission-controller
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534 # nobody
       containers:
         - name: admission-controller
           image: k8s.gcr.io/vpa-admission-controller:0.6.3
diff --git a/vertical-pod-autoscaler/deploy/recommender-deployment.yaml b/vertical-pod-autoscaler/deploy/recommender-deployment.yaml
@@ -21,6 +21,9 @@ spec:
         app: vpa-recommender
     spec:
       serviceAccountName: vpa-recommender
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534 # nobody
       containers:
       - name: recommender
         image: k8s.gcr.io/vpa-recommender:0.6.3
diff --git a/vertical-pod-autoscaler/deploy/updater-deployment.yaml b/vertical-pod-autoscaler/deploy/updater-deployment.yaml
@@ -21,6 +21,9 @@ spec:
         app: vpa-updater
     spec:
       serviceAccountName: vpa-updater
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534 # nobody
       containers:
         - name: updater
           image: k8s.gcr.io/vpa-updater:0.6.3
diff --git a/vertical-pod-autoscaler/examples/hamster.yaml b/vertical-pod-autoscaler/examples/hamster.yaml
@@ -29,6 +29,9 @@ spec:
       labels:
         app: hamster
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534 # nobody
       containers:
         - name: hamster
           image: k8s.gcr.io/ubuntu-slim:0.1
