Implement pod run_as_user

Required to run container processes with a non-root user
DFE-Digital · Dec 3, 2024 · 62af75b · 62af75b
1 parent 966efba
commit 62af75b
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/aks/application/resources.tf b/aks/application/resources.tf
@@ -180,6 +180,9 @@ resource "kubernetes_deployment" "main" {
             capabilities {
               drop = ["ALL"]
             }
+
+            run_as_user  = var.run_as_user
+            run_as_group = var.run_as_group
           }
         }
       }

diff --git a/aks/application/tfdocs.md b/aks/application/tfdocs.md
@@ -51,6 +51,8 @@ No modules.
 | <a name="input_probe_command"></a> [probe\_command](#input\_probe\_command) | Command for the liveness and startup probe | `list(string)` | `[]` | no |
 | <a name="input_probe_path"></a> [probe\_path](#input\_probe\_path) | Path for the liveness and startup probe. The probe can be disabled by setting this to null. | `string` | `"/healthcheck"` | no |
 | <a name="input_replicas"></a> [replicas](#input\_replicas) | Number of application instances | `number` | `1` | no |
+| <a name="input_run_as_group"></a> [run\_as\_group](#input\_run\_as\_group) | GID of user running the process in the container | `string` | `null` | no |
+| <a name="input_run_as_user"></a> [run\_as\_user](#input\_run\_as\_user) | UID of user running the process in the container | `string` | `null` | no |
 | <a name="input_send_traffic_to_maintenance_page"></a> [send\_traffic\_to\_maintenance\_page](#input\_send\_traffic\_to\_maintenance\_page) | During a maintenance operation, keep sending traffic to the maintenance page instead of resetting the ingress | `bool` | `false` | no |
 | <a name="input_service_name"></a> [service\_name](#input\_service\_name) | Name of the service | `string` | n/a | yes |
 | <a name="input_service_short"></a> [service\_short](#input\_service\_short) | Short name of the service | `string` | `null` | no |

diff --git a/aks/application/variables.tf b/aks/application/variables.tf
@@ -167,3 +167,17 @@ variable "enable_gcp_wif" {
   description = "Let the deployment use the GCP workload identity federation service account to get a token"
   nullable    = false
 }
+
+variable "run_as_user" {
+  type        = string
+  default     = null
+  description = "UID of user running the process in the container"
+  nullable    = true
+}
+
+variable "run_as_group" {
+  type        = string
+  default     = null
+  description = "GID of user running the process in the container"
+  nullable    = true
+}