From f047aff2d7c1b8fd40568e65e76a9c3fe0c678f3 Mon Sep 17 00:00:00 2001 From: joshvanl Date: Thu, 28 Aug 2025 17:00:08 -0300 Subject: [PATCH 1/4] [1.16] Add docs on DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK env var Fixes https://github.com/dapr/docs/issues/4784 Signed-off-by: joshvanl --- daprdocs/content/en/concepts/security-concept.md | 9 +++++++++ .../hosting/kubernetes/kubernetes-production.md | 12 +++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/daprdocs/content/en/concepts/security-concept.md b/daprdocs/content/en/concepts/security-concept.md index aa7bfe5af1b..e8400a0513e 100644 --- a/daprdocs/content/en/concepts/security-concept.md +++ b/daprdocs/content/en/concepts/security-concept.md @@ -198,6 +198,15 @@ Let's go over each of the security capabilities and describe how they are protec 7. Service B is deployed to namespace "B", which further isolates it from other services. Even if the service invocation API was enabled on it, it could not be called accidentally by being in the same namespace as Service A. Service B must explicitly set the Redis Host namespace in its component YAML file to call onto the "Redis" namespace, otherwise this call also fails. 8. The data in the Redis state store is encrypted at rest and can only be read using the correctly configured Dapr Redis state store component. +## Run as non-root +When running in Kubernetes, Dapr services will ensure each process is running as non-root. +This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected. +If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check. + +```bash +DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK="true" +``` + # Threat model Threat modeling is a process by which: diff --git a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md index 40c4c8d02c8..5113e0cf81b 100644 --- a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md +++ b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md @@ -343,10 +343,20 @@ By default, the Dapr sidecar injector injects a sidecar without any `seccompProf Refer to [the Arguments and Annotations overview]({{% ref "arguments-annotations-overview.md" %}}) to set the appropriate `seccompProfile` on the sidecar container. -## Best Practices +## Run as non-root +When running in Kubernetes, Dapr services will ensure each process is running as non-root. +This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected. +If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check. + +```bash +DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK="true" +``` + +## Best Practices Watch this video for a deep dive into the best practices for running Dapr in production with Kubernetes. + {{< youtube id=_U9wJqq-H1g >}} ## Related links From bbb5f55f3576e6a3fa7da7907bfec9edf87ac2c5 Mon Sep 17 00:00:00 2001 From: Josh van Leeuwen Date: Wed, 3 Sep 2025 18:26:52 -0300 Subject: [PATCH 2/4] Apply suggestions from code review Co-authored-by: Mark Fussell Signed-off-by: Josh van Leeuwen --- daprdocs/content/en/concepts/security-concept.md | 2 +- .../en/operations/hosting/kubernetes/kubernetes-production.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/daprdocs/content/en/concepts/security-concept.md b/daprdocs/content/en/concepts/security-concept.md index e8400a0513e..c52cf981fe7 100644 --- a/daprdocs/content/en/concepts/security-concept.md +++ b/daprdocs/content/en/concepts/security-concept.md @@ -199,7 +199,7 @@ Let's go over each of the security capabilities and describe how they are protec 8. The data in the Redis state store is encrypted at rest and can only be read using the correctly configured Dapr Redis state store component. ## Run as non-root -When running in Kubernetes, Dapr services will ensure each process is running as non-root. +When running in Kubernetes, Dapr services ensure each process is running as non-root. This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected. If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check. diff --git a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md index 5113e0cf81b..c4f4b88e2a0 100644 --- a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md +++ b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md @@ -344,7 +344,7 @@ By default, the Dapr sidecar injector injects a sidecar without any `seccompProf Refer to [the Arguments and Annotations overview]({{% ref "arguments-annotations-overview.md" %}}) to set the appropriate `seccompProfile` on the sidecar container. ## Run as non-root -When running in Kubernetes, Dapr services will ensure each process is running as non-root. +When running in Kubernetes, Dapr services ensure each process is running as non-root. This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected. If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check. From cf9b23ef50ce1589b423fb2760c4e5260cd74b65 Mon Sep 17 00:00:00 2001 From: joshvanl Date: Wed, 3 Sep 2025 18:28:46 -0300 Subject: [PATCH 3/4] Adds DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK to environment reference Signed-off-by: joshvanl --- daprdocs/content/en/reference/environment/_index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/daprdocs/content/en/reference/environment/_index.md b/daprdocs/content/en/reference/environment/_index.md index ad26f9dcbc2..c2bd8f5e337 100644 --- a/daprdocs/content/en/reference/environment/_index.md +++ b/daprdocs/content/en/reference/environment/_index.md @@ -29,4 +29,5 @@ The following table lists the environment variables used by the Dapr runtime, CL | DAPR_COMPONENTS_SOCKETS_EXTENSION | .NET and Java pluggable component SDKs | A per-SDK configuration that indicates the default file extension applied to socket files created by the SDKs. Not a Dapr-enforced behavior. | | DAPR_PLACEMENT_METADATA_ENABLED | Dapr placement | Enable an endpoint for the Placement service that exposes placement table information on actor usage. Set to `true` to enable in self-hosted mode. [Learn more about the Placement API]({{% ref placement_api.md %}}) | | DAPR_HOST_IP | Dapr sidecar | The host's chosen IP address. If not specified, will loop over the network interfaces and select the first non-loopback address it finds.| -| DAPR_HEALTH_TIMEOUT | SDKs | Sets the time on the "wait for sidecar" availability. Overrides the default timeout setting of 60 seconds. | \ No newline at end of file +| DAPR_HEALTH_TIMEOUT | SDKs | Sets the time on the "wait for sidecar" availability. Overrides the default timeout setting of 60 seconds. | +| DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK | Dapr control plane & sidecar | Disable the check that ensures the Dapr containers are not running as root on Kubernetes linux. This is not recommended for production environments. Set to `true` to disable the check. | From 19fdd60b37105911e7b82eca7d5b5ce8a7626633 Mon Sep 17 00:00:00 2001 From: Mark Fussell Date: Fri, 5 Sep 2025 15:35:27 -0700 Subject: [PATCH 4/4] Moved non-root execution section for Kubernetes Moved the section on running Dapr services as non-root in Kubernetes, including environment variable configuration. Signed-off-by: Mark Fussell --- daprdocs/content/en/concepts/security-concept.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/daprdocs/content/en/concepts/security-concept.md b/daprdocs/content/en/concepts/security-concept.md index 867dedfaf46..fa284cde420 100644 --- a/daprdocs/content/en/concepts/security-concept.md +++ b/daprdocs/content/en/concepts/security-concept.md @@ -153,6 +153,12 @@ With Dapr OAuth 2.0 middleware, you can enable OAuth authorization on Dapr endpo You can adopt common network security technologies, such as network security groups (NSGs), demilitarized zones (DMZs), and firewalls, to provide layers of protection over your networked resources. For example, unless configured to talk to an external binding target, Dapr sidecars don’t open connections to the internet and most binding implementations only use outbound connections. You can design your firewall rules to allow outbound connections only through designated ports. +## Run as non-root in Kubernetes +When running in Kubernetes, Dapr services ensure each process is running as non-root. This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected. If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check. +```bash +DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK="true" +``` + # Security policies Dapr has an extensive set of security policies you can apply to your applications. You can scope what they are able to do, either through a policy setting in the sidecar configuration, or with the component specification. @@ -217,15 +223,6 @@ Let's go over each of the security capabilities and describe how they are protec 7. Service B is deployed to namespace "B", which further isolates it from other services. Even if the service invocation API was enabled on it, it could not be called accidentally by being in the same namespace as Service A. Service B must explicitly set the Redis Host namespace in its component YAML file to call onto the "Redis" namespace, otherwise this call also fails. 8. The data in the Redis state store is encrypted at rest and can only be read using the correctly configured Dapr Redis state store component. -## Run as non-root -When running in Kubernetes, Dapr services ensure each process is running as non-root. -This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected. -If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check. - -```bash -DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK="true" -``` - # Threat model Threat modeling is a process by which: