dapr · JoshVanL · Aug 28, 2025 · Sep 3, 2025 · Sep 3, 2025 · Sep 3, 2025
@@ -217,6 +217,15 @@ Let's go over each of the security capabilities and describe how they are protec
 7. Service B is deployed to namespace "B", which further isolates it from other services. Even if the service invocation API was enabled on it, it could not be called accidentally by being in the same namespace as Service A. Service B must explicitly set the Redis Host namespace in its component YAML file to call onto the "Redis" namespace, otherwise this call also fails.
 8. The data in the Redis state store is encrypted at rest and can only be read using the correctly configured Dapr Redis state store component.
 
+## Run as non-root
+When running in Kubernetes, Dapr services ensure each process is running as non-root.
+This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected.
+If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check.
+
+```bash
+DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK="true"
+```
+
 # Threat model
 
 Threat modeling is a process by which:

@@ -343,10 +343,20 @@ By default, the Dapr sidecar injector injects a sidecar without any `seccompProf
 
 Refer to [the Arguments and Annotations overview]({{% ref "arguments-annotations-overview.md" %}}) to set the appropriate `seccompProfile` on the sidecar container.
 
-## Best Practices 
+## Run as non-root
+When running in Kubernetes, Dapr services ensure each process is running as non-root.
+This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected.
+If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check.
+
+```bash
+DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK="true"
+```
+
+## Best Practices
 
 Watch this video for a deep dive into the best practices for running Dapr in production with Kubernetes.
 
+
 {{< youtube id=_U9wJqq-H1g >}}
 
 ## Related links

@@ -29,4 +29,5 @@ The following table lists the environment variables used by the Dapr runtime, CL
 | DAPR_COMPONENTS_SOCKETS_EXTENSION | .NET and Java pluggable component SDKs | A per-SDK configuration that indicates the default file extension applied to socket files created by the SDKs. Not a Dapr-enforced behavior. |
 | DAPR_PLACEMENT_METADATA_ENABLED | Dapr placement | Enable an endpoint for the Placement service that exposes placement table information on actor usage. Set to `true` to enable in self-hosted mode. [Learn more about the Placement API]({{% ref placement_api.md %}}) |
 | DAPR_HOST_IP | Dapr sidecar | The host's chosen IP address. If not specified, will loop over the network interfaces and select the first non-loopback address it finds.|
-| DAPR_HEALTH_TIMEOUT | SDKs | Sets the time on the "wait for sidecar" availability. Overrides the default timeout setting of 60 seconds. |
+| DAPR_HEALTH_TIMEOUT | SDKs | Sets the time on the "wait for sidecar" availability. Overrides the default timeout setting of 60 seconds. |
+| DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK | Dapr control plane & sidecar | Disable the check that ensures the Dapr containers are not running as root on Kubernetes linux. This is not recommended for production environments. Set to `true` to disable the check. |