Neuvector updater job pods include istio sidecar and never shutdown
Long lived neuvector deployments periodically spawn "updater-pods" as part of a scheduled cronjob. Istio sidecar injection is not disabled for the job pod, so after the job successfully completes, the pods remain in a NotReady
state.
Over time that leads to a namespace that looks something like this:
~ kubectl get pods -n neuvector | grep updater
neuvector-updater-pod-28019520-kqdph 0/1 Completed 0 35d
neuvector-updater-pod-28020960-ngt96 0/1 Completed 0 34d
neuvector-updater-pod-28022400-gd4pd 1/2 NotReady 0 33d
neuvector-updater-pod-28023840-wr5qr 1/2 NotReady 0 32d
neuvector-updater-pod-28025280-wqvmc 1/2 NotReady 0 31d
neuvector-updater-pod-28026720-qcwwf 1/2 NotReady 0 30d
neuvector-updater-pod-28028160-f278z 1/2 NotReady 0 29d
neuvector-updater-pod-28029600-h795q 1/2 NotReady 0 28d
neuvector-updater-pod-28031040-wq9t2 1/2 NotReady 0 27d
neuvector-updater-pod-28032480-kzt68 1/2 NotReady 0 26d
neuvector-updater-pod-28033920-sh8v9 1/2 NotReady 0 25d
neuvector-updater-pod-28035360-pr47w 1/2 NotReady 0 24d
neuvector-updater-pod-28036800-cfgd7 1/2 NotReady 0 23d
neuvector-updater-pod-28038240-qhqdh 1/2 NotReady 0 22d
neuvector-updater-pod-28039680-xwn2c 1/2 NotReady 0 21d
neuvector-updater-pod-28041120-hnwnm 1/2 NotReady 0 20d
neuvector-updater-pod-28042560-95t8d 1/2 NotReady 0 19d
neuvector-updater-pod-28044000-pz2qb 1/2 NotReady 0 18d
neuvector-updater-pod-28045440-rx8qp 1/2 NotReady 0 17d
neuvector-updater-pod-28046880-29gqm 1/2 NotReady 0 16d
neuvector-updater-pod-28048320-bmmf9 1/2 NotReady 0 15d
neuvector-updater-pod-28049760-w55j6 1/2 NotReady 0 14d
neuvector-updater-pod-28051200-9mxld 1/2 NotReady 0 13d
neuvector-updater-pod-28052640-kwlfr 1/2 NotReady 0 12d
neuvector-updater-pod-28054080-nxm4s 1/2 NotReady 0 11d
neuvector-updater-pod-28055520-fd9p7 1/2 NotReady 0 10d
neuvector-updater-pod-28056960-cgssd 1/2 NotReady 0 9d
neuvector-updater-pod-28058400-llmpd 1/2 NotReady 0 8d
neuvector-updater-pod-28059840-qgjgd 1/2 NotReady 0 7d14h
neuvector-updater-pod-28061280-b4cmh 1/2 NotReady 0 6d14h
neuvector-updater-pod-28062720-8cgkf 1/2 NotReady 0 5d14h
neuvector-updater-pod-28064160-6nq4k 1/2 NotReady 0 4d14h
neuvector-updater-pod-28065600-6xvjp 1/2 NotReady 0 3d14h
neuvector-updater-pod-28067040-pncxj 1/2 NotReady 0 2d14h
neuvector-updater-pod-28068480-ct5h7 1/2 NotReady 0 38h
neuvector-updater-pod-28069920-fldx4 1/2 NotReady 0 14h
Recommend we conditionally add the "sidecar.istio.io/inject": "false"
label when .Values.istio.enabled
is true
to the cronjob template's pod spec.