From 28995870c7ac9be56ea05d4e099845fdfc88f041 Mon Sep 17 00:00:00 2001
From: hasbro17 <hasbro17@gmail.com>
Date: Wed, 17 Jan 2018 12:38:25 -0800
Subject: [PATCH] k8sutil: run etcd pods as non-root user

---
 pkg/util/k8sutil/k8sutil.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkg/util/k8sutil/k8sutil.go b/pkg/util/k8sutil/k8sutil.go
index d0a13e143..fa10b7a95 100644
--- a/pkg/util/k8sutil/k8sutil.go
+++ b/pkg/util/k8sutil/k8sutil.go
@@ -292,6 +292,9 @@ func newEtcdPod(m *etcdutil.Member, initialCluster []string, clusterName, state,
 		}})
 	}
 
+	runAsNonRoot := true
+	podUID := int64(9000)
+	fsGroup := podUID
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        m.Name,
@@ -319,6 +322,11 @@ func newEtcdPod(m *etcdutil.Member, initialCluster []string, clusterName, state,
 			Hostname:                     m.Name,
 			Subdomain:                    clusterName,
 			AutomountServiceAccountToken: func(b bool) *bool { return &b }(false),
+			SecurityContext: &v1.PodSecurityContext{
+				RunAsUser:    &podUID,
+				RunAsNonRoot: &runAsNonRoot,
+				FSGroup:      &fsGroup,
+			},
 		},
 	}
 	SetEtcdVersion(pod, cs.Version)