=== T29: SDS UDS emptyDir 볼륨 제거 -> istio-proxy CrashLoopBackOff 검증 === + kubectl apply -f manifest.yaml (sds-broken.yaml) pod/sds-broken created + sleep 20 + kubectl -n istio-vt-t29 get pod sds-broken NAME READY STATUS RESTARTS AGE sds-broken 2/2 Running 0 20s + ISTIO_PROXY_STATE=$(kubectl -n istio-vt-t29 get pod sds-broken -o jsonpath='{.status.containerStatuses[?(@.name=="istio-proxy")].state}') ISTIO_PROXY_STATE={"running":{"startedAt":"2026-07-04T23:14:50Z"}} === manual reproduction step (per spec notes): strip workload-socket/credential-socket/workload-certs volumeMounts+volumes from injected pod spec, delete+reapply === + kubectl get pod sds-broken -n istio-vt-t29 -o yaml > /tmp/sds-broken-live.yaml (captured injected spec) -> confirmed istio-proxy volumeMounts included: workload-socket, credential-socket, workload-certs (plus 7 others) -> confirmed pod volumes included matching emptyDir entries: workload-socket, credential-socket, workload-certs + kubectl delete pod sds-broken -n istio-vt-t29 pod "sds-broken" deleted from istio-vt-t29 namespace + kubectl apply -f sds-broken-stripped.yaml (istio-proxy volumeMounts/volumes for the 3 SDS UDS dirs removed; sidecar.istio.io/inject label kept as instructed by spec notes) pod/sds-broken created === observation: after delete+reapply with sidecar.istio.io/inject label still 'true', webhook RE-INJECTED and restored the 3 stripped volumeMounts/volumes (empirical finding, contradicts naive expectation in spec notes) === + kubectl -n istio-vt-t29 get pod sds-broken -o yaml (post reapply-with-inject=true) -> istio-proxy volumeMounts: workload-socket credential-socket workload-certs istiod-ca-cert istio-ca-crl istio-data istio-envoy istio-token istio-podinfo kube-api-access-bkljg NAME READY STATUS RESTARTS AGE sds-broken 2/2 Running 0 69s === corrected reproduction: set sidecar.istio.io/inject=false (label+annotation) on the manually-reconstructed pod spec so the mutating webhook skips this pod entirely and does not re-add the stripped volumeMounts/volumes === + kubectl delete pod sds-broken -n istio-vt-t29 pod "sds-broken" deleted from istio-vt-t29 namespace + kubectl apply -f sds-broken-stripped.yaml (inject=false this time) pod/sds-broken created === observe pod over time (sidecar.istio.io/inject=false reproduction; istio-proxy has NO livenessProbe, readinessProbe(period15s/failureThreshold4), startupProbe(period1s/failureThreshold600)) === + kubectl -n istio-vt-t29 get pod sds-broken (t+20s after reapply) sds-broken 1/2 Running 0 25s + polled every ~15-60s for ~10 minutes: STATUS stayed '1/2 Running', restartCount stayed 0 the entire time (istio-proxy process itself never crashed/exited) + istio-proxy logs (current, no --previous needed yet) repeatedly show: 2026-07-04T23:18:28.202664Z error sds SDS grpc server for workload proxies failed to set up UDS: failed to listen on unix socket "var/run/secrets/workload-spiffe-uds/socket": listen unix var/run/secrets/workload-spiffe-uds/socket: bind: no such file or directory 2026-07-04T23:18:29.202931Z error sds SDS grpc server for workload proxies failed to set up UDS: failed to listen on unix socket "var/run/secrets/workload-spiffe-uds/socket": listen unix var/run/secrets/workload-spiffe-uds/socket: bind: no such file or directory 2026-07-04T23:18:31.203318Z error sds SDS grpc server for workload proxies failed to set up UDS: failed to listen on unix socket "var/run/secrets/workload-spiffe-uds/socket": listen unix var/run/secrets/workload-spiffe-uds/socket: bind: no such file or directory ... (same message repeats every SDS retry attempt, ~every few seconds) + at t=~600s (23:28:28Z), kubelet event: Warning Unhealthy (x600 over 10m) 'Startup probe failed: ... connect: connection refused' -> kubelet kills+restarts istio-proxy container + kubectl -n istio-vt-t29 get pod sds-broken (t+~630s) NAME READY STATUS RESTARTS AGE sds-broken 1/2 Running 1 (3m7s ago) 13m + containerStatuses[istio-proxy] after restart: { "containerID": "containerd://914c677aad0d72057e97acea6fad3fbc5eb9646d4c2859843748e329fdba71d2", "image": "registry.istio.io/release/proxyv2:1.30.0", "imageID": "registry.istio.io/release/proxyv2@sha256:180f7cf94fbafc3d49879e48eb180b4bb274d0c8993b7328c93a2e84378d766c", "lastState": { "terminated": { "containerID": "containerd://d6d05472003fc390c04bcff5080a77602fa0156b228cc7ad8012794401d8ba26", "exitCode": 0, "finishedAt": "2026-07-04T23:28:33Z", "reason": "Completed", "startedAt": "2026-07-04T23:18:27Z" } }, "name": "istio-proxy", "ready": false, "restartCount": 1, "started": false, "state": { "running": { "startedAt": "2026-07-04T23:28:33Z" } } } + kubectl -n istio-vt-t29 logs sds-broken -c istio-proxy --previous | grep -i 'SDS grpc server failed to set up UDS' (spec's literal grep target) -> literal substring 'SDS grpc server failed to set up UDS' (without ' for workload proxies') NOT found; actual message is: 2026-07-04T23:18:31.203318Z error sds SDS grpc server for workload proxies failed to set up UDS: failed to listen on unix socket "var/run/secrets/workload-spiffe-uds/socket": listen unix var/run/secrets/workload-spiffe-uds/socket: bind: no such file or directory 2026-07-04T23:18:35.203999Z error sds SDS grpc server for workload proxies failed to set up UDS: failed to listen on unix socket "var/run/secrets/workload-spiffe-uds/socket": listen unix var/run/secrets/workload-spiffe-uds/socket: bind: no such file or directory 2026-07-04T23:18:43.211167Z error sds SDS grpc server for workload proxies failed to set up UDS: failed to listen on unix socket "var/run/secrets/workload-spiffe-uds/socket": listen unix var/run/secrets/workload-spiffe-uds/socket: bind: no such file or directory + kubectl -n istio-vt-t29 describe pod sds-broken -> Events (restart evidence) 2026-07-04T23:18:27Z Normal Started Started container app 2026-07-04T23:18:27Z Normal Pulled Container image "registry.istio.io/release/proxyv2:1.30.0" already present on machine 2026-07-04T23:18:27Z Normal Created Created container istio-proxy 2026-07-04T23:18:27Z Normal Started Started container istio-proxy 2026-07-04T23:28:28Z Warning Unhealthy Startup probe failed: Get "http://10.255.159.171:15021/healthz/ready": dial tcp 10.255.159.171:15021: connect: connection refused === KEY FINDING: pod STATUS column showed 'Running' continuously; NEVER displayed 'CrashLoopBackOff'. The restart at t~600s was triggered by kubelet killing the container due to startupProbe failureThreshold(600)*periodSeconds(1s) exhaustion (exit reason=Completed, exitCode=0 -- a probe-driven kill, not a self-crash/panic), and the container restarted with ZERO backoff delay (terminated and restarted at the identical second, 2026-07-04T23:28:33Z). This is NOT the classic CrashLoopBackOff pattern (rapid successive restarts with growing backoff); it is a slow ~10-minute Running/NotReady cycle. ===