In environments with strict host-level UID enforcement, only a predefined set of user IDs (UIDs) is permitted to run processes on the host. However, Kubernetes system pods such as pause, coredns, and calico-typha using container specific UIDs that are not defined on the host. Because container processes are visible on the host with their container-internal UIDs, these pods are blocked by the host’s UID restrictions.
This creates a practical challenge for securely hardened environments: How should Kubernetes be configured to operate under strict host UID restrictions, and what is the officially recommended approach for running pods in such scenarios?
Cluster information:
Kubernetes version:1.32
Cloud being used: (put bare-metal if not on a public cloud)
Installation method:kubeadm
Host OS:Ubuntu22
CNI and version:
CRI and version:
You can format your yaml by highlighting it and pressing Ctrl-Shift-C, it will make your output easier to read.