There is a requirement from the client to run the istio components as non-root. I have a PR to run the istio components(galley/pilot/citadel/sidecar-injection/mixer) as user istio-proxy (UID: 1337). there are some discussion offline or in that ticket which user should be used?
- istio-proxy (UID: 1337) - already reserved by istio proxy. expand to be used by other components
- create a new user (istio) to be used by istio components except for istio proxy
- create a new user nonroot (UID: 65532) to align with distroless:nonroot image.
- create separated user for each component. e.g.: user istio-galley for galley component; user istio-pilot for pilot component, etc.