From dafa27c30c005ccee20305aace3d2714151ad3ac Mon Sep 17 00:00:00 2001
From: Will Anderson <will.anderson@neurontechnologies.ai>
Date: Thu, 7 May 2026 01:19:22 -0500
Subject: [PATCH] fix: run k3s as root, bump HPA CPU threshold to 80%
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

k3s needs CAP_SYS_ADMIN to create network namespaces and mount cgroups.
USER landing was preventing this. Cloud Run gen2 is the security boundary.

60% CPU was too conservative for soul-demo — it is I/O-bound (LLM API calls),
not CPU-bound. 80% gives correct headroom before scaling kicks in.
---
 Dockerfile.stage        | 3 ++-
 dist/k3s-soul-demo.yaml | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Dockerfile.stage b/Dockerfile.stage
index f6eda92..f9ede75 100644
--- a/Dockerfile.stage
+++ b/Dockerfile.stage
@@ -115,7 +115,8 @@ ENV NEURON_PORT=7772
 ENV K3S_DATA_DIR=/var/lib/rancher/k3s
 ENV KUBECONFIG=/var/lib/rancher/k3s/server/cred/admin.kubeconfig
 
-USER landing
+# k3s requires root to create network namespaces and mount cgroups.
+# Cloud Run gen2 sandbox is the security boundary here.
 EXPOSE 8080
 
 CMD ["/usr/local/bin/entrypoint.sh"]
diff --git a/dist/k3s-soul-demo.yaml b/dist/k3s-soul-demo.yaml
index e97eb49..e76eff1 100644
--- a/dist/k3s-soul-demo.yaml
+++ b/dist/k3s-soul-demo.yaml
@@ -87,4 +87,4 @@ spec:
       name: cpu
       target:
         type: Utilization
-        averageUtilization: 60
+        averageUtilization: 80