feat: Support for non-root deployments for self-hosted gateway

tomkerkhove · tomkerkhove · commit c53e9fca307d · 2022-05-06T16:49:11.000+02:00
Signed-off-by: Tom Kerkhove &lt;kerkhove.tom@gmail.com&gt;
diff --git a/articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md b/articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md
@@ -147,6 +147,26 @@ Pods can experience disruption due to [various](https://kubernetes.io/docs/conce
 
 Consider using [Pod Disruption Budgets](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets) to enforce a minimum number of pods to be available at any given time.
 
+## Security
+The self-hosted gateway is able to run as non-root in Kubernetes allowing customers to run the gateway securely.
+
+Here is an example of the security context for the self-hosted gateway:
+```yml
+securityContext:
+  allowPrivilegeEscalation: false
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 2000
+  privileged: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+    - all
+```
+
+> [!WARNING]
+> When using local CA certificates, using `readOnlyRootFilesystem: true` is not supported. 
+
 ## Next steps
 
 * To learn more about the self-hosted gateway, see [Self-hosted gateway overview](self-hosted-gateway-overview.md).
diff --git a/articles/api-management/self-hosted-gateway-overview.md b/articles/api-management/self-hosted-gateway-overview.md
@@ -39,6 +39,8 @@ Deploying self-hosted gateways into the same environments where the backend API
 
 The self-hosted gateway is a containerized, functionally equivalent version of the managed gateway deployed to Azure as part of every API Management service. The self-hosted gateway is available as a Linux-based Docker [container image](https://aka.ms/apim/sputnik/dhub) from the Microsoft Container Registry. It can be deployed to Docker, Kubernetes, or any other container orchestration solution running on a server cluster on premises, cloud infrastructure, or for evaluation and development purposes, on a personal computer. You can also deploy the self-hosted gateway as a cluster extension to an [Azure Arc-enabled Kubernetes cluster](./how-to-deploy-self-hosted-gateway-azure-arc.md).
 
+### Known limitations
+
 The following functionality found in the managed gateways is **not available** in the self-hosted gateways:
 
 - Sending resource logs (diagnostic logs) to Azure Monitor. However, you can [send metrics](how-to-configure-cloud-metrics-logs.md) to Azure Monitor, or [configure and persist logs locally](how-to-configure-local-metrics-logs.md) where the self-hosted gateway is deployed.
