[1.16] Add docs on DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK env var (#4832)

* [1.16] Add docs on DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK env var Fixes https://github.com/dapr/docs/issues/4784 Signed-off-by: joshvanl <me@joshvanl.dev> * Apply suggestions from code review Co-authored-by: Mark Fussell <markfussell@gmail.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Adds DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK to environment reference Signed-off-by: joshvanl <me@joshvanl.dev> * Moved non-root execution section for Kubernetes Moved the section on running Dapr services as non-root in Kubernetes, including environment variable configuration. Signed-off-by: Mark Fussell <markfussell@gmail.com> --------- Signed-off-by: joshvanl <me@joshvanl.dev> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> Signed-off-by: Mark Fussell <markfussell@gmail.com> Co-authored-by: Mark Fussell <markfussell@gmail.com>
2025-09-05 19:56:55 -03:00 · 2025-09-05 19:56:55 -03:00 · 4a9ece2109
parent 2ff6e63317
commit 4a9ece2109
3 changed files with 19 additions and 2 deletions
--- a/daprdocs/content/en/concepts/security-concept.md
+++ b/daprdocs/content/en/concepts/security-concept.md
@ -153,6 +153,12 @@ With Dapr OAuth 2.0 middleware, you can enable OAuth authorization on Dapr endpo

 You can adopt common network security technologies, such as network security groups (NSGs), demilitarized zones (DMZs), and firewalls, to provide layers of protection over your networked resources. For example, unless configured to talk to an external binding target, Dapr sidecars don’t open connections to the internet and most binding implementations only use outbound connections. You can design your firewall rules to allow outbound connections only through designated ports.

+## Run as non-root in Kubernetes
+When running in Kubernetes, Dapr services ensure each process is running as non-root. This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected. If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check.
+```bash
+DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK="true"
+```
+
 # Security policies

 Dapr has an extensive set of security policies you can apply to your applications. You can scope what they are able to do, either through a policy setting in the sidecar configuration, or with the component specification. 
--- a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
+++ b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
@ -343,10 +343,20 @@ By default, the Dapr sidecar injector injects a sidecar without any `seccompProf

 Refer to [the Arguments and Annotations overview]({{% ref "arguments-annotations-overview.md" %}}) to set the appropriate `seccompProfile` on the sidecar container.

+## Run as non-root
+When running in Kubernetes, Dapr services ensure each process is running as non-root.
+This is done by checking the UID & GID of the process is `65532`, and fatal erroring if it is not what is expected.
+If you must run a non-default UID & GID in Kubernetes, set the following env var to skip this check.
+
+```bash
+DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK="true"
+```
+
 ## Best Practices

 Watch this video for a deep dive into the best practices for running Dapr in production with Kubernetes.

+
 {{< youtube id=_U9wJqq-H1g >}}

 ## Related links
--- a/daprdocs/content/en/reference/environment/_index.md
+++ b/daprdocs/content/en/reference/environment/_index.md
@ -30,3 +30,4 @@ The following table lists the environment variables used by the Dapr runtime, CL
 | DAPR_PLACEMENT_METADATA_ENABLED | Dapr placement | Enable an endpoint for the Placement service that exposes placement table information on actor usage. Set to `true` to enable in self-hosted mode. [Learn more about the Placement API]({{% ref placement_api.md %}}) |
 | DAPR_HOST_IP | Dapr sidecar | The host's chosen IP address. If not specified, will loop over the network interfaces and select the first non-loopback address it finds.|
 | DAPR_HEALTH_TIMEOUT | SDKs | Sets the time on the "wait for sidecar" availability. Overrides the default timeout setting of 60 seconds. |
+| DAPR_UNSAFE_SKIP_CONTAINER_UID_GID_CHECK | Dapr control plane & sidecar | Disable the check that ensures the Dapr containers are not running as root on Kubernetes linux. This is not recommended for production environments. Set to `true` to disable the check. |