Healthcheck port lacks an entry causing Neuvector to fail when deployed in a service mesh

When Neuvector is run within an Istio service mesh, Istio requires that all interpod communication be defined in the application template. 

For example, https://github.com/neuvector/neuvector-helm/blob/27da6e2e27407e94263af1c6f9c52445a3cd076c/charts/core/templates/controller-service.yaml#L11-L21

However, the `upgrader` 
https://github.com/neuvector/neuvector/blob/0155dd77b28bdf8c15340f4f7f87f8c77e414322/upgrader/postsync.go#L212
depends on access to port `18500`. 

This causes the cert-upgrader job to continually fail and create `BlackHole` entries in the istio proxy sidecar. 

<details>

<summary> BlackHole logs</summary>
## Logs 

```
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T22:59:39.046Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:42836 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T22:59:44.110Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:47832 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T22:59:49.420Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:47836 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T22:59:54.629Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:58298 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T22:59:59.851Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:58308 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:00:05.303Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:34026 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:00:10.794Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:34042 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:00:15.890Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:58650 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:00:21.319Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:58664 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:00:26.542Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:50412 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:00:31.754Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:50420 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:00:36.995Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:44944 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:00:42.103Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:44960 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:00:47.435Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:48084 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:00:52.880Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:44924 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:00:57.970Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:44928 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:03.108Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:37196 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:08.262Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:37202 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:13.507Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:53508 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:18.830Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:53514 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:18.929Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:53528 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:24.151Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:49836 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:29.639Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:49848 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:34.785Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:58660 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:40.155Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:58670 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:45.265Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:44388 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:50.679Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:44394 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:01:56.069Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:56410 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:01.477Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:56424 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:06.537Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:36686 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:11.793Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:36698 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:17.045Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:56738 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:22.219Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:56740 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:27.550Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:42354 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:32.732Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:43176 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:38.110Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:43192 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:43.311Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:39190 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:48.690Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:39198 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:53.929Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:57946 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:59.136Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:57960 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:02:59.161Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:57970 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:03:04.644Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:53286 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:03:09.968Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:53292 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:03:15.036Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:60560 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:03:20.289Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:60572 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:03:25.659Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:44438 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:03:30.855Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:44440 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:03:35.893Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:45252 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:03:41.059Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:45258 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:03:46.155Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:45634 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:03:51.245Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:45644 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:03:56.507Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:59406 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:04:01.717Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:59412 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:04:06.729Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:59358 - -
[pod/neuvector-cert-upgrader-job-s9mvl/istio-proxy] [2025-04-22T23:04:12.167Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 172.21.0.43:18500 172.21.0.39:59360 - -
```

</details>

## Requests

Guidance on need for an internal cert when running within a mesh. 

Adding the healthcheck port to `controller-service.yaml`

	clusterIP: None
	ports:
	- port: 18300
	protocol: "TCP"
	name: "cluster-tcp-18300"
	- port: 18301
	protocol: "TCP"
	name: "cluster-tcp-18301"
	- port: 18301
	protocol: "UDP"
	name: "cluster-udp-18301"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Healthcheck port lacks an entry causing Neuvector to fail when deployed in a service mesh #486

Requests

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Healthcheck port lacks an entry causing Neuvector to fail when deployed in a service mesh #486

Description

Requests

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions