InvalidApplicationUID

消息名称	InvalidApplicationUID
消息代码	IST0144
描述	Application pods should not run as user ID (UID) 1337
等级	Warning

当工作负载以 User ID (UID) 1337 运行时，会出现此消息。应用程序的 Pod 不应该以 User ID (UID) 1337 运行，因为 istio-proxy 容器默认以 UID 1337 运行。当使用相同的 UID 运行您的容器应用时，将导致它的 iptables 配置冲突。

例如

探讨 Deployment 和 securityContext.runAsUser 使用 UID 1337 在 Pod 级别或容器级别运行：

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deploy-con-sec-uid
  labels:
    app: helloworld
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: helloworld
      version: v1
  template:
    metadata:
      labels:
        app: helloworld
        version: v1
    spec:
      securityContext:
        runAsUser: 1337
      containers:
      - name: helloworld
        image: docker.io/istio/examples-helloworld-v1
        securityContext:
          runAsUser: 1337
        resources:
          requests:
            cpu: "100m"
        imagePullPolicy: IfNotPresent #Always
        ports:
        - containerPort: 5000

解决办法

由于 User ID (UID) 1337 是为 Sidecar 代理保留的，所以您可以为您的工作负载使用除了 1337 以外的 User ID (UID)，例如 1338 。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deploy-con-sec-uid
  labels:
    app: helloworld
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: helloworld
      version: v1
  template:
    metadata:
      labels:
        app: helloworld
        version: v1
    spec:
      securityContext:
        runAsUser: 1338
      containers:
      - name: helloworld
        image: docker.io/istio/examples-helloworld-v1
        securityContext:
          runAsUser: 1338
        resources:
          requests:
            cpu: "100m"
        imagePullPolicy: IfNotPresent #Always
        ports:
        - containerPort: 5000