Istio contianer not starting with userid "8625987" in openshift


i have an issue starting an auto inject istio container with a non default userID (8625987) in openshift .

environments and situation :

  • using openshift and service mesh operator to deploy istio 1.14
  • using auto inject policy.
  • adding a namespace to the service mesh member roles.
  • in the namespace there are already some app contianers which are starting with the userID 8625987 without any problems after creating a SCC and bind this to the ServcieAccount is currently used.
  • starting a pod after istio enabled does not work. error from the events :
    is forbidden: unable to validate against any security context constraint: securityContext.runAsUser: Invalid value: 8625987: must be in the ranges: [1000640000, 1000649999]]",
  • starting the same pod with the disabling istio using the annotation will start the pod using the userID without problems : ‘false’

yaml example :

apiVersion: v1
kind: Pod
name: test-pod
namespace: test-ns
      runAsUser: 8625987
  - image: bitnami/nginx:1.21.1-debian-10-r31
    name: registry
  serviceAccount: scc-8625987

any ideas ?

thanks you.