i have an issue starting an auto inject istio container with a non default userID (8625987) in openshift .
environments and situation :
- using openshift and service mesh operator to deploy istio 1.14
- using auto inject policy.
- adding a namespace to the service mesh member roles.
- in the namespace there are already some app contianers which are starting with the userID 8625987 without any problems after creating a SCC and bind this to the ServcieAccount is currently used.
- starting a pod after istio enabled does not work. error from the events :
is forbidden: unable to validate against any security context constraint: securityContext.runAsUser: Invalid value: 8625987: must be in the ranges: [1000640000, 1000649999]]",
- starting the same pod with the disabling istio using the annotation will start the pod using the userID without problems :
yaml example :
apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test-ns spec: securityContext: runAsUser: 8625987 containers: - image: bitnami/nginx:1.21.1-debian-10-r31 name: registry serviceAccount: scc-8625987
any ideas ?