=== T41 result log === timestamp: 2026-07-05T08:38:11+09:00 --- pods (ready state check) --- $ kubectl -n istio-vt-t41 get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 1/1 Running 0 38s 10.255.126.6 k8s-worker2 icmp-drop-target 1/1 Running 0 38s 10.255.159.180 k8s-master1 --- cmd 1: kubectl apply -f manifest.yaml (already applied above) --- (applied successfully earlier: pod/icmp-drop-target created, service/icmp-drop-target created, pod/client created) --- cmd 2: kubectl -n istio-vt-t41 wait --for=condition=Ready pod/icmp-drop-target pod/client --timeout=60s --- (already confirmed Ready above: pod/icmp-drop-target condition met, pod/client condition met) --- cmd 3: kubectl -n istio-vt-t41 exec client -- ping -c 2 -W 2 icmp-drop-target || echo 'PING FAILED (expected)' --- PING icmp-drop-target (10.250.147.114): 56 data bytes ping: permission denied (are you root?) command terminated with exit code 1 PING FAILED (expected) exit_status_of_ping: 0 --- cmd 4: kubectl -n istio-vt-t41 exec client -- sh -c "cat /dev/tcp/icmp-drop-target/8080 && echo TCP_OPEN" --- sh: can't create /dev/tcp/icmp-drop-target/8080: nonexistent directory command terminated with exit code 1 exit_status_of_tcp_test: 1 === RETRY (per protocol: environmental-looking failure -> retry once) === --- retry cmd 3: ping --- PING icmp-drop-target (10.250.147.114): 56 data bytes ping: permission denied (are you root?) command terminated with exit code 1 PING FAILED (expected) --- retry cmd 4: /dev/tcp --- sh: can't create /dev/tcp/icmp-drop-target/8080: nonexistent directory command terminated with exit code 1 === root-cause diagnosis of both spec-command failures (read-only exec, no manifest change) === --- client identity/capabilities (why ping fails) --- uid=100(curl_user) gid=101(curl_group) groups=101(curl_group) client securityContext: (curl_user uid=100, no CAP_NET_RAW/CAP_NET_RAW granted, no root -> unprivileged ICMP socket denied BEFORE any packet is even sent -- this is a container-capability limitation of curlimages/curl, not evidence about whether the target's iptables ICMP DROP rule works.) --- client shell (why /dev/tcp fails) --- lrwxrwxrwx 1 root root 12 May 30 2025 /bin/sh -> /bin/busybox NAME="Alpine Linux" (/bin/sh -> busybox ash on Alpine; /dev/tcp pseudo-device redirection is a bash-only feature, unsupported by ash/dash -- 'nonexistent directory' is a shell-compat error, not a TCP result.) === independent confirmation of the underlying claim using tools actually available === --- (a) confirm ICMP DROP rule is active on target (iptables -L, from inside icmp-drop-target) --- Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 --- (b) confirm target socat TCP:8080 listener is up and serving --- State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess LISTEN 0 5 0.0.0.0:8080 0.0.0.0:* users:(("socat",pid=7,fd=5)) --- (c) TCP reachability test using a tool client actually has: curl's own TCP connect (curl -v to port 8080) --- * Host icmp-drop-target:8080 was resolved. * IPv6: (none) * IPv4: 10.250.147.114 * Trying 10.250.147.114:8080... * Connected to icmp-drop-target (10.250.147.114) port 8080 { [16 bytes data] icmp-dropped-ok * shutting down connection #0 --- (d) ping test again but as root (busybox ping via su-exec/root, still inside same non-priv container - use nsenter/hostPath not available; instead run ping via ephemeral debug container as root to isolate: does ICMP actually get dropped for a privileged pinger?) --- Targeting container "curl". If you don't see processes from this container it may be because the container runtime doesn't support this feature. --profile=legacy is deprecated and will be removed in the future. It is recommended to explicitly specify a profile, for example "--profile=general". Defaulting debug container name to debugger-sq4gg. Unable to use a TTY - input is not a terminal or the right kind of file All commands and output from this session will be recorded in container logs, including credentials and sensitive information passed through the command prompt. If you don't see a command prompt, try pressing enter. warning: couldn't attach to pod/client, falling back to streaming logs: error stream protocol error: unknown error PING icmp-drop-target.istio-vt-t41.svc.homelab.local (10.250.147.114) 56(84) bytes of data. --- (d continued) ephemeral debug container (root, netshoot) ping result via kubectl logs --- PING icmp-drop-target.istio-vt-t41.svc.homelab.local (10.250.147.114) 56(84) bytes of data. --- icmp-drop-target.istio-vt-t41.svc.homelab.local ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2081ms === SUMMARY === Literal spec cmd3/cmd4 failed for environmental/tooling reasons specific to the chosen client image (curlimages/curl: non-root uid=100 w/o CAP_NET_RAW -> busybox ping refuses to even open a raw socket; ash shell has no bash /dev/tcp feature -> TCP test syntax itself errors before connecting). Independent diagnosis using the SAME deployed pods/service (no manifest edits) directly confirms the underlying principle pass_criteria describes: - root-capable pinger (ephemeral debug container, netshoot, privileged enough for raw ICMP socket): '3 packets transmitted, 0 received, 100% packet loss' against icmp-drop-target -> ping fails completely. - TCP:8080 to the SAME target succeeds and returns real application data ('icmp-dropped-ok') via curl, proving the TCP path is fully healthy while ICMP is unconditionally DROPped by iptables on target.