Overview
This article addresses a specific initialization failure in Client Workload pods where the aembit-agent-proxy or aembit-init-iptable containers fail to start with a user identity error. This typically occurs when a pod-level security context overrides the expected User ID (UID) required by Aembit containers.
Relates To
Deployment Type: Kubernetes / Sidecar Injection
Containers:
aembit-agent-proxy,aembit-init-iptableRoot Documentation: Edge Component Container Image Best Practices
Cause (The Symptom)
The primary signature of this issue is found in the container logs during startup:
Error String:
sudo: you do not exist in the passwd databaseWarning String (v1.22+):
The injected container (...) is unlikely to run correctly because it will run as UID ... where UID ... is expected.
The Root Cause: Aembit containers are hard-coded to expect specific UIDs to perform initialization tasks (like setting up iptables). If the pod-level securityContext/runAsUser is set, it may override these values, causing sudo to fail because the overridden UID does not have an entry in the container's internal passwd file.
Solution
Align Security Context with Aembit Requirements
To resolve this, you must ensure that the Aembit-specific containers are configured to run as their expected UIDs, even if your main application container uses a different security context.
1. Identify Expected User IDs | Aembit Container | Required User ID | | :--- | :--- | | aembit_agent_proxy | 65534 | | aembit_sidecar_init | 26248 |
2. Update Deployment Spec (Manual Injection) If you are manually defining the sidecar or using a version of the Helm chart prior to v1.22, you must explicitly set the securityContext for each Aembit container in your pod spec:
YAML
containers:
- name: aembit-agent-proxy
securityContext:
runAsUser: 65534
initContainers:
- name: aembit-init-iptable
securityContext:
runAsUser: 26248
3. Automatic Mitigation (Helm v1.22+) Since Helm v1.22, Aembit's injected container definitions include securityContext/runAsUser attributes that automatically override pod-level attributes. Ensure your Agent Injector is updated to the latest version to enable this automatic fix.