Istio contianer not starting with userid "8625987" in openshift

deaa · November 14, 2023, 2:06pm

Hello,

i have an issue starting an auto inject istio container with a non default userID (8625987) in openshift .

environments and situation :

using openshift and service mesh operator to deploy istio 1.14
using auto inject policy.
adding a namespace to the service mesh member roles.
in the namespace there are already some app contianers which are starting with the userID 8625987 without any problems after creating a SCC and bind this to the ServcieAccount is currently used.
starting a pod after istio enabled does not work. error from the events :
is forbidden: unable to validate against any security context constraint: securityContext.runAsUser: Invalid value: 8625987: must be in the ranges: [1000640000, 1000649999]]",
starting the same pod with the disabling istio using the annotation will start the pod using the userID without problems :
sidecar.istio.io/inject: ‘false’

yaml example :

apiVersion: v1
kind: Pod
metadata:
name: test-pod
namespace: test-ns
spec:
  securityContext:
      runAsUser: 8625987
  containers:
  - image: bitnami/nginx:1.21.1-debian-10-r31
    name: registry
  serviceAccount: scc-8625987

any ideas ?

thanks you.

Topic		Replies	Views
Override runAsUser, runAsGroup values that the operator injects into the gateway deployment Networking openshift , security	1	690	May 19, 2022
Istio Init Containers do not work with Pod Security Policies Security	0	877	May 17, 2021
Issue with Istio sidecar injection and psp	2	1969	April 15, 2019
Istio init-container running as root with all capabilities Security	0	1510	September 30, 2019
Istio sidecar auto injection failed Security openshift , security	0	570	February 22, 2023

Istio contianer not starting with userid "8625987" in openshift

Related topics