From 62af75ba937f968d0932ab85bae4623f0e717354 Mon Sep 17 00:00:00 2001 From: Colin Saliceti Date: Tue, 3 Dec 2024 18:54:13 +0000 Subject: [PATCH] Implement pod run_as_user Required to run container processes with a non-root user --- aks/application/resources.tf | 3 +++ aks/application/tfdocs.md | 2 ++ aks/application/variables.tf | 14 ++++++++++++++ 3 files changed, 19 insertions(+) diff --git a/aks/application/resources.tf b/aks/application/resources.tf index 994c8b7..056481d 100644 --- a/aks/application/resources.tf +++ b/aks/application/resources.tf @@ -180,6 +180,9 @@ resource "kubernetes_deployment" "main" { capabilities { drop = ["ALL"] } + + run_as_user = var.run_as_user + run_as_group = var.run_as_group } } } diff --git a/aks/application/tfdocs.md b/aks/application/tfdocs.md index c4a8900..7653a99 100644 --- a/aks/application/tfdocs.md +++ b/aks/application/tfdocs.md @@ -51,6 +51,8 @@ No modules. | [probe\_command](#input\_probe\_command) | Command for the liveness and startup probe | `list(string)` | `[]` | no | | [probe\_path](#input\_probe\_path) | Path for the liveness and startup probe. The probe can be disabled by setting this to null. | `string` | `"/healthcheck"` | no | | [replicas](#input\_replicas) | Number of application instances | `number` | `1` | no | +| [run\_as\_group](#input\_run\_as\_group) | GID of user running the process in the container | `string` | `null` | no | +| [run\_as\_user](#input\_run\_as\_user) | UID of user running the process in the container | `string` | `null` | no | | [send\_traffic\_to\_maintenance\_page](#input\_send\_traffic\_to\_maintenance\_page) | During a maintenance operation, keep sending traffic to the maintenance page instead of resetting the ingress | `bool` | `false` | no | | [service\_name](#input\_service\_name) | Name of the service | `string` | n/a | yes | | [service\_short](#input\_service\_short) | Short name of the service | `string` | `null` | no | diff --git a/aks/application/variables.tf b/aks/application/variables.tf index 74a8d9b..7c48f9b 100644 --- a/aks/application/variables.tf +++ b/aks/application/variables.tf @@ -167,3 +167,17 @@ variable "enable_gcp_wif" { description = "Let the deployment use the GCP workload identity federation service account to get a token" nullable = false } + +variable "run_as_user" { + type = string + default = null + description = "UID of user running the process in the container" + nullable = true +} + +variable "run_as_group" { + type = string + default = null + description = "GID of user running the process in the container" + nullable = true +}