The sidecar injector should determine what user ID the sidecar container should run as. The user ID must not be used by any other container inside the same pod, so that iptables can properly ignore packets from the proxy, while handling all others.

I see two options:

• use the maximum ID from the range of allowed user IDs specified on the namespace/project
• inspect all the containers in the pod to find an unused user ID and use it.

It's probably simpler to go with the second option, since the first one would require the sidecar injector to read the namespace (which would require watching & caching), and also doesn't guarantee that no other container is using the same user ID.

Also, there needs to be a way for users to manually specify the user ID in case they want to override the default behavior.