The documentation should warn that the Linkerd proxy uid should not be set to the same uid as the workload

[chri4774]

What problem are you trying to solve?

Linkerd allows users to specify a custom uid for the Linkerd proxy container. However, it is important to ensure that this uid is different from the uid used by the workload container.
In our case, we have strict OPA Gatekeeper rules for allowed uids in our application pods in our K8S cluster. Because of this, when we implemented Linkerd, it was natural to set the Linkerd proxy and Linkerd init container uids to the same value as the workload container uid.
The result was that outgoing traffic from these pods was not encrypted at all, and this went unnoticed until we stumbled upon it while debugging another issue.
The only place in the Linkerd documentation where I could understand what was going on was the IPtables reference (see https://linkerd.io/2.19/reference/iptables/#outbound-connections).

How should the problem be solved?

Suggestions:

• Add a warning regarding the proxy uid setting to the following pages
  https://linkerd.io/2.19/reference/cli/install/
  https://linkerd.io/2.19/reference/proxy-configuration/
  https://github.com/linkerd/linkerd2/blob/main/charts/linkerd-control-plane/values.yaml

• Add a specific check for the "linkerd check --proxy --namespace " command to warn users if the linkerd-proxy uid and the workload container uid are the same

Any alternatives you've considered?

How would users interact with this feature?

No response

Would you like to work on this feature?

None

[adleong]

Thanks @chri4774, this is a great point! Are you interested in contributing this improvement to the docs?