=== kubectl create namespace istio-vt-t61 === namespace/istio-vt-t61 created === kubectl label namespace istio-vt-t61 istio-injection=enabled === namespace/istio-vt-t61 labeled === kubectl apply -f manifest.yaml === pod/client created deployment.apps/echo created service/echo created pod/raw-tcp-svc created service/raw-tcp-svc created Warning: configured AuthorizationPolicy will deny all traffic to TCP ports under its scope due to the use of only HTTP attributes in a DENY rule; it is recommended to explicitly specify the port authorizationpolicy.security.istio.io/deny-http-attr-no-ports created === kubectl -n istio-vt-t61 wait --for=condition=Ready pod/client pod/raw-tcp-svc --timeout=90s === pod/client condition met pod/raw-tcp-svc condition met === kubectl -n istio-vt-t61 rollout status deploy/echo --timeout=90s === deployment "echo" successfully rolled out === kubectl -n istio-vt-t61 get pods -o wide === NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 3s 10.255.194.88 k8s-worker1 echo-5767bbcc56-v8l9d 2/2 Running 0 3s 10.255.126.40 k8s-worker2 raw-tcp-svc 2/2 Running 0 3s 10.255.194.87 k8s-worker1 === sleep 5 === === kubectl -n istio-vt-t61 exec client -c curl -- curl -s -o /dev/null -w 'blocked_even_though_it_is_a_get=%{http_code} ' --max-time 4 http://raw-tcp-svc.istio-vt-t61.svc.homelab.local:9191/ ; echo exit=$? === blocked_even_though_it_is_a_get=000 exit=52 === (supplementary) kubectl -n istio-vt-t61 exec client -c curl -- curl -s -o /dev/null -w 'retry_check=%{http_code} ' --max-time 4 http://raw-tcp-svc.istio-vt-t61.svc.homelab.local:9191/ ; echo exit=$? === retry_check=000 exit=52 === (supplementary) kubectl -n istio-vt-t61 get authorizationpolicy deny-http-attr-no-ports -o yaml === apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"security.istio.io/v1","kind":"AuthorizationPolicy","metadata":{"annotations":{},"name":"deny-http-attr-no-ports","namespace":"istio-vt-t61"},"spec":{"action":"DENY","rules":[{"to":[{"operation":{"methods":["GET"]}}]}],"selector":{"matchLabels":{"app":"raw-tcp-svc"}}}} creationTimestamp: "2026-07-05T00:01:40Z" generation: 1 name: deny-http-attr-no-ports namespace: istio-vt-t61 resourceVersion: "13664298" uid: f33ca670-83a0-4d1a-83fe-6082a11b0d9b spec: action: DENY rules: - to: - operation: methods: - GET selector: matchLabels: app: raw-tcp-svc