Prevents containers from running as a user or group 1337 and 2102 which are reserved for Istio and Linkerd.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
- securityContext:
- runAsUser: 1337
securitytower.io/policy.exclusion.preventservicemeshuserid
as on the example below.
apiVersion: apps/v1 kind: Deployment metadata: name: your-deployment annotations: securitytower.io/policy.exclusion.preventservicemeshuserid: |- This pod has a container that must run as 1337, because ... . ...