This article explains how to deploy and execute the MicroEnforcer as a non-root user within a container image at run time.


Summary


Where the user is operating within a Container As A Service (CaaS) environment, such as AWS Fargate or EKS, or any other cloud-based container environment. It may not be possible to deploy a regular enforcer onto each worker node within Kubernetes or a VM Enforcer. Where this occurs, it is necessary to deploy a container with a MicroEnforcer as non-root user.


You can, if required, run the MicroEnforcer as non-root user, with non-root privileges.


Solution


Aqua supports a MicroEnforcer running inside a container as non-root user.  


The instructions for deploying a MicroEnforcer as non-root are described in the documentation page Embedded MicroEnforcer; see the section If your image has a non-root default user.


The Enforce and Audit Only enforcement modes should not be related to the MicroEnforcer's running posture of root or non-root. In Enforce mode, the MicroEnforcer will block and send audit events. In audit mode, the MicroEnforcer will behave like all Enforcers and send only audit data but will not block any executions.