When a client sends a request to the Kubernetes apiserver, authentication plugins attempt to associate a number of attributes to the request. These attributes can be used by authorisation plugins to determine whether the client's request can proceed.
One such attribute is the UID of the client, however Kubernetes does not review the UID attribute during authorisation. If this is the case, how is the UID attribute used?
The UID field is intentionally not used for authentication purposes, but it is to allow logging for audit purposes.
For many organizations this might not be important, but for example Google allows employees to change their usernames (but of course not the numeric UID). Logging the UID would allow lookups of actions regardless of the current username.
(Now some might point out, that changing the username will likely involve loosing the current privileges; this is an accepted limitation/inconvinience.)