=== CMD: kubectl apply -f client-echo.yaml && kubectl -n istio-vt-t39 wait --for=condition=Ready pod/client --timeout=90s === pod/client created deployment.apps/echo created service/echo created pod/client condition met === CMD: kubectl -n istio-vt-t39 exec client -c curl -- curl -s -o /dev/null -w 'baseline=%{http_code} ' http://echo.istio-vt-t39.svc.homelab.local/ === baseline=200 === CMD: kubectl apply -f cut-client-from-istiod.yaml === networkpolicy.networking.k8s.io/cut-client-from-istiod created === CMD: sleep 5 && istioctl proxy-status | grep 'client.istio-vt-t39' === client.istio-vt-t39 Kubernetes istiod-797b447c94-cv7ns 1.30.0 4 (CDS,LDS,EDS,RDS) === NOTE: 'istioctl proxy-status | grep client.NS' table format has no per-type SYNCED/STALE column in this istioctl version (shows SUBSCRIBED TYPES count only). Using 'istioctl proxy-status client.istio-vt-t39' (single-target diff mode) as the more informative check instead. === === single-target proxy-status right after NetworkPolicy cut (before fault VS) === Sun Jul 5 08:21:15 AM KST 2026 Clusters Match Listeners Match Routes Match (RDS last loaded at Sun, 05 Jul 2026 08:21:15 KST) === CMD: kubectl apply -f echo-fault-after-cut.yaml === virtualservice.networking.istio.io/echo-fault-after-cut created === CMD: sleep 5 === Sun Jul 5 08:22:06 AM KST 2026 Sun Jul 5 08:22:11 AM KST 2026 === CMD: kubectl -n istio-vt-t39 exec client -c curl -- curl -s -o /dev/null -w 'after-cut=%{http_code} ' http://echo.istio-vt-t39.svc.homelab.local/ === after-cut=000 command terminated with exit code 6 === CMD: istioctl proxy-status | grep 'client.istio-vt-t39' (table form, informational) === client.istio-vt-t39 Kubernetes istiod-797b447c94-cv7ns 1.30.0 4 (CDS,LDS,EDS,RDS) === supplementary: istioctl proxy-status client.istio-vt-t39 (single-target diff, more informative in this istioctl version) === Sun Jul 5 08:22:23 AM KST 2026 Clusters Match Listeners Match Routes Match (RDS last loaded at Sun, 05 Jul 2026 08:22:20 KST) === ENV ISSUE DETECTED: this cluster uses NodeLocal DNSCache at link-local 169.254.25.10 (hostNetwork daemonset on node's own dummy iface, NOT a normal pod IP). The spec NetworkPolicy's DNS allow-rule (namespaceSelector=kube-system, port 53) cannot match a link-local address via podSelector-based NetworkPolicy semantics, so client lost DNS entirely (curl exit 6 'could not resolve host') -- an incidental collateral failure unrelated to the istiod-xDS behavior under test. FIX: patch cut-client-from-istiod.yaml to add an explicit egress rule allowing 169.254.25.10/32 UDP/TCP:53, keeping istiod(15012)/istio-system egress blocked (the actual system under test). === CMD (env fix reapply): kubectl apply -f cut-client-from-istiod.yaml === networkpolicy.networking.k8s.io/cut-client-from-istiod configured === retry: kubectl -n istio-vt-t39 exec client -c curl -- curl -s -o /dev/null -w 'after-cut(retry)=%{http_code} ' http://echo.istio-vt-t39.svc.homelab.local/ === after-cut(retry)=599 === ENV BLOCKER CONFIRMED (root-cause diagnosis) === Felix (calico-node-vkmwt, node k8s-worker2) DID receive and log the policy: 'Received *proto.ActivePolicyUpdate ... name:"istio-vt-t39/knp.default.cut-client-from-istiod" ...' and attached it to the client WorkloadEndpoint (egress_policies=[...cut-client-from-istiod]). But actual dataplane enforcement never took effect: - 'iptables -t filter -S' AND 'iptables-legacy -t filter -S' inside calico-node-vkmwt both show ONLY the 3 default ACCEPT policies -- zero Calico (cali-fw-*/cali-pri-*) chains present on the node. - Direct probe: client pod CAN still open a brand-new TCP connection to istiod.istio-system.svc:15012 (nc -zv => 'open') and to an unrelated external address 8.8.8.8:53 (nc -zv => 'open') which matches NO allow rule in the NetworkPolicy and should be default-denied once any Egress policyType selects the pod. - RETRY (per harness protocol): deleted+recreated the NetworkPolicy fresh, waited 15s for Felix to reprogram -- same result, 8.8.8.8:53 and istiod:15012 both still 'open'. CONCLUSION: Kubernetes NetworkPolicy is NOT actually enforced on this cluster's dataplane (Calico computes the policy but does not program it into iptables/nft on this node), independent of Istio. This breaks the test's isolation mechanism -- the client sidecar's xDS (ADS) connection to istiod was NEVER actually cut, so the earlier after-cut=599 result reflects a normal (connected) config push, not fail-static behavior. This is an environmental limitation of the cluster, not a property of Istio's control/data-plane design. === Completing remaining spec commands for the record (isolation precondition not achieved) === === CMD: kubectl delete -f cut-client-from-istiod.yaml === networkpolicy.networking.k8s.io "cut-client-from-istiod" deleted from istio-vt-t39 namespace === CMD: sleep 5 === === CMD: kubectl -n istio-vt-t39 exec client -c curl -- curl -s -o /dev/null -w 'after-reconnect=%{http_code} ' http://echo.istio-vt-t39.svc.homelab.local/ === after-reconnect=599