2.1 KiB
| title | layout | owner | test |
|---|---|---|---|
| InvalidApplicationUID | analysis-message | istio/wg-user-experience-maintainers | n/a |
This message occurs when a workload is running as User ID (UID) 1337. Application pods should not run as user ID (UID) 1337 because the istio-proxy container runs as UID 1337. Running your application containers using the same UID would result in conflicts with its iptables configurations.
{{< warning >}}
User ID (UID) 1337 is reserved for the sidecar proxy.
{{< /warning >}}
An example
Consider a Deployment with securityContext.runAsUser running either at Pod level or at container level using UID 1337:
{{< text yaml >}} apiVersion: apps/v1 kind: Deployment metadata: name: deploy-con-sec-uid labels: app: helloworld version: v1 spec: replicas: 1 selector: matchLabels: app: helloworld version: v1 template: metadata: labels: app: helloworld version: v1 spec: securityContext: runAsUser: 1337 containers: - name: helloworld image: docker.io/istio/examples-helloworld-v1 securityContext: runAsUser: 1337 resources: requests: cpu: "100m" imagePullPolicy: IfNotPresent #Always ports: - containerPort: 5000 {{< /text >}}
How to resolve
Because the User ID (UID) 1337 is reserved for the sidecar proxy, you can use a different User ID (UID) such as 1338 for your workload.
{{< text yaml >}} apiVersion: apps/v1 kind: Deployment metadata: name: deploy-con-sec-uid labels: app: helloworld version: v1 spec: replicas: 1 selector: matchLabels: app: helloworld version: v1 template: metadata: labels: app: helloworld version: v1 spec: securityContext: runAsUser: 1338 containers: - name: helloworld image: docker.io/istio/examples-helloworld-v1 securityContext: runAsUser: 1338 resources: requests: cpu: "100m" imagePullPolicy: IfNotPresent #Always ports: - containerPort: 5000 {{< /text >}}