From adb76bff82bcdfc6d9361f7177b56f1a4436d58e Mon Sep 17 00:00:00 2001
From: Chris Jones <chris.jones@ironcorelabs.com>
Date: Wed, 16 Aug 2023 07:49:10 -0600
Subject: [PATCH] Only inject Pods that are Pending. (#501)

---
 agent-inject/agent/agent.go      |  5 +++++
 agent-inject/agent/agent_test.go | 16 +++++++++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go
index de06fe7d..b0a01a7c 100644
--- a/agent-inject/agent/agent.go
+++ b/agent-inject/agent/agent.go
@@ -540,6 +540,11 @@ func ShouldInject(pod *corev1.Pod) (bool, error) {
 		return false, nil
 	}
 
+	// If injection didn't happen on pod creation, then it's too late now.
+	if pod.Status.Phase != "" && pod.Status.Phase != corev1.PodPending {
+		return false, nil
+	}
+
 	// This shouldn't happen so bail.
 	raw, ok = pod.Annotations[AnnotationAgentStatus]
 	if !ok {
diff --git a/agent-inject/agent/agent_test.go b/agent-inject/agent/agent_test.go
index 63e4f93e..f137c6d9 100644
--- a/agent-inject/agent/agent_test.go
+++ b/agent-inject/agent/agent_test.go
@@ -91,17 +91,23 @@ func testPodIRSA(annotations map[string]string) *corev1.Pod {
 func TestShouldInject(t *testing.T) {
 	tests := []struct {
 		annotations map[string]string
+		phase       corev1.PodPhase
 		inject      bool
 	}{
-		{map[string]string{AnnotationAgentInject: "true", AnnotationAgentStatus: ""}, true},
-		{map[string]string{AnnotationAgentInject: "false", AnnotationAgentStatus: ""}, false},
-		{map[string]string{AnnotationAgentInject: "true", AnnotationAgentStatus: "injected"}, false},
-		{map[string]string{AnnotationAgentInject: "false", AnnotationAgentStatus: "injected"}, false},
-		{map[string]string{AnnotationAgentInject: "true", AnnotationAgentStatus: "update"}, true},
+		{map[string]string{AnnotationAgentInject: "true", AnnotationAgentStatus: ""}, corev1.PodPending, true},
+		{map[string]string{AnnotationAgentInject: "false", AnnotationAgentStatus: ""}, corev1.PodPending, false},
+		{map[string]string{AnnotationAgentInject: "true", AnnotationAgentStatus: "injected"}, corev1.PodPending, false},
+		{map[string]string{AnnotationAgentInject: "false", AnnotationAgentStatus: "injected"}, corev1.PodPending, false},
+		{map[string]string{AnnotationAgentInject: "true", AnnotationAgentStatus: "update"}, corev1.PodPending, true},
+		{map[string]string{AnnotationAgentInject: "true", AnnotationAgentStatus: ""}, corev1.PodRunning, false},
+		{map[string]string{AnnotationAgentInject: "true", AnnotationAgentStatus: ""}, corev1.PodSucceeded, false},
+		{map[string]string{AnnotationAgentInject: "true", AnnotationAgentStatus: ""}, corev1.PodFailed, false},
+		{map[string]string{AnnotationAgentInject: "true", AnnotationAgentStatus: "update"}, corev1.PodRunning, false},
 	}
 
 	for _, tt := range tests {
 		pod := testPod(tt.annotations)
+		pod.Status.Phase = tt.phase
 		inject, err := ShouldInject(pod)
 		if err != nil {
 			t.Errorf("got error, shouldn't have: %s", err)