InvalidApplicationUID

消息名称InvalidApplicationUID
消息代码IST0144
描述Application pods should not run as user ID (UID) 1337
等级Warning

当工作负载以 User ID (UID) 1337 运行时,会出现此消息。应用程序的 Pod 不应该以 User ID (UID) 1337 运行,因为 istio-proxy 容器默认以 UID 1337 运行。 当使用相同的 UID 运行您的容器应用时,将导致它的 iptables 配置冲突。

User ID (UID) 1337 保留用于 Sidecar Proxy。

示例

探讨设置为 securityContext.runAsUserDeployment 如何使用 UID 1337 在 Pod 级别或容器级别运行:

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4. name: deploy-con-sec-uid
  5. labels:
  6. app: helloworld
  7. version: v1
  8. spec:
  9. replicas: 1
  10. selector:
  11. matchLabels:
  12. app: helloworld
  13. version: v1
  14. template:
  15. metadata:
  16. labels:
  17. app: helloworld
  18. version: v1
  19. spec:
  20. securityContext:
  21. runAsUser: 1337
  22. containers:
  23. - name: helloworld
  24. image: docker.io/istio/examples-helloworld-v1
  25. securityContext:
  26. runAsUser: 1337
  27. resources:
  28. requests:
  29. cpu: "100m"
  30. imagePullPolicy: IfNotPresent #Always
  31. ports:
  32. - containerPort: 5000

如何修复

由于 User ID (UID) 1337 是为 Sidecar 代理保留的,所以您可以为您的工作负载使用除了 1337 以外的 User ID (UID),例如 1338

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4. name: deploy-con-sec-uid
  5. labels:
  6. app: helloworld
  7. version: v1
  8. spec:
  9. replicas: 1
  10. selector:
  11. matchLabels:
  12. app: helloworld
  13. version: v1
  14. template:
  15. metadata:
  16. labels:
  17. app: helloworld
  18. version: v1
  19. spec:
  20. securityContext:
  21. runAsUser: 1338
  22. containers:
  23. - name: helloworld
  24. image: docker.io/istio/examples-helloworld-v1
  25. securityContext:
  26. runAsUser: 1338
  27. resources:
  28. requests:
  29. cpu: "100m"
  30. imagePullPolicy: IfNotPresent #Always
  31. ports:
  32. - containerPort: 5000