diff --git a/Dockerfile.stage b/Dockerfile.stage
index f6eda92..f9ede75 100644
--- a/Dockerfile.stage
+++ b/Dockerfile.stage
@@ -115,7 +115,8 @@ ENV NEURON_PORT=7772
 ENV K3S_DATA_DIR=/var/lib/rancher/k3s
 ENV KUBECONFIG=/var/lib/rancher/k3s/server/cred/admin.kubeconfig
 
-USER landing
+# k3s requires root to create network namespaces and mount cgroups.
+# Cloud Run gen2 sandbox is the security boundary here.
 EXPOSE 8080
 
 CMD ["/usr/local/bin/entrypoint.sh"]
diff --git a/dist/k3s-soul-demo.yaml b/dist/k3s-soul-demo.yaml
index e97eb49..e76eff1 100644
--- a/dist/k3s-soul-demo.yaml
+++ b/dist/k3s-soul-demo.yaml
@@ -87,4 +87,4 @@ spec:
       name: cpu
       target:
         type: Utilization
-        averageUtilization: 60
+        averageUtilization: 80