"must enable containers running with UID 0 for Istio’s service accounts"

[pantianying]

Describe the feature request

Referring to the official documentation, I installed ISTIO in OpenShift https://istio.io/latest/docs/setup/platform-setup/openshift There's a description：

I can't understand where the group: istio-system needs to use the uid of 0. As far as I can understand, i think that enough that only istio-cni needs such permission

[X] Docs [ ] Installation [ ] Networking [ ] Performance and Scalability [ ] Extensions and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure

Additional context

[howardjohn]

This is probably not accurate anymore? @jwendell @dgn?

[pantianying]

The network-related operations have been completed through the CNI plug-in. I can't install ISTIO when I don't give istio these permissions, but I don't know why istio needs such high permissions. This is a black box for me, so can someone explain it to me.

ths

[jwendell]

I'll give it a try with 1.8 which was just cut. Last time I checked (1.7) some component still needed those permissions, that's why those instructions are still in that page.

[dgn]

anyuid isn't just about UID 0 -- you also need that capability to run as UID 1337. So it might be the gateways