=== CMD 1: apply client-echo.yaml, wait === pod/client created deployment.apps/echo created service/echo created pod/client condition met deployment "echo" successfully rolled out NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 11s 10.255.126.13 k8s-worker2 echo-5767bbcc56-5rmr8 2/2 Running 0 11s 10.255.126.14 k8s-worker2 === CMD 2: baseline cluster count === $ N0=$(istioctl proxy-config cluster client.istio-vt-t01 2>/dev/null | tail -n +2 | wc -l); echo baseline_clusters=$N0 baseline_clusters=59 === CMD 3: baseline mock http === $ kubectl -n istio-vt-t01 exec client -c curl -- curl -s -o /dev/null -w 'baseline_mock_http=%{http_code} ' http://mock.istio-verify-ext.svc.homelab.local/ baseline_mock_http=200 === CMD 4: baseline mock https === $ kubectl -n istio-vt-t01 exec client -c curl -- curl -sk -o /dev/null -w 'baseline_mock_https=%{http_code} ' https://mock.istio-verify-ext.svc.homelab.local:443/ baseline_mock_https=200 === CMD 5: apply idle-egressgw.yaml + narrow-egress-sidecar.yaml === pod/idle-egressgw created sidecar.networking.istio.io/narrow-egress created === CMD 6: wait idle-egressgw ready === pod/idle-egressgw condition met NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 46s 10.255.126.13 k8s-worker2 echo-5767bbcc56-5rmr8 2/2 Running 0 46s 10.255.126.14 k8s-worker2 idle-egressgw 1/1 Running 0 10s 10.255.194.119 k8s-worker1 === CMD 7: sleep 8 === slept 8s === CMD 8: scoped cluster count === $ N1=$(istioctl proxy-config cluster client.istio-vt-t01 2>/dev/null | tail -n +2 | wc -l); echo scoped_clusters=$N1 scoped_clusters=20 === CMD 9: scoped namespace set === $ istioctl proxy-config cluster client.istio-vt-t01 2>/dev/null | tail -n +2 | awk '{print $1}' | grep -oE '[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+\.svc\.homelab\.local' | awk -F. '{print $2}' | sort -u NOTE: spec command 9's grep pattern '.svc.homelab.local' produced empty output. Diagnostic: istioctl proxy-config cluster reports service FQDNs using istio's internal proxy.clusterDomain convention (cluster.local), which is INDEPENDENT of the actual kubelet/CoreDNS clusterDomain (homelab.local) -- these are two separate settings that happen to differ in this cluster. Adjusting grep to match the actual FQDN suffix used by istioctl (svc.cluster.local) to recover the intended namespace-set check: $ istioctl proxy-config cluster client.istio-vt-t01 2>/dev/null | tail -n +2 | awk '{print $1}' | grep -oE '[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+\.svc\.cluster\.local' | awk -F. '{print $2}' | sort -u istio-system istio-vt-t01 === CMD 10: scoped mock http === $ kubectl -n istio-vt-t01 exec client -c curl -- curl -s -o /dev/null -w 'scoped_mock_http=%{http_code} ' http://mock.istio-verify-ext.svc.homelab.local/ scoped_mock_http=200 === CMD 11: scoped mock https === $ kubectl -n istio-vt-t01 exec client -c curl -- curl -sk -o /dev/null -w 'scoped_mock_https=%{http_code} ' https://mock.istio-verify-ext.svc.homelab.local:443/ scoped_mock_https=200 === CMD 12: idle-egressgw log check for mock traffic === $ kubectl -n istio-vt-t01 logs deploy/idle-egressgw -c istio-proxy --since=2m | grep -ci mock || echo 'idle-egressgw saw 0 mock-related log lines...' error: error from server (NotFound): deployments.apps "idle-egressgw" not found in namespace "istio-vt-t01" 0 idle-egressgw saw 0 mock-related log lines (no VirtualService routes to it, so it never carried this traffic) NOTE: idle-egressgw is a bare Pod (not a Deployment) per the manifest, so 'kubectl logs deploy/idle-egressgw' 404s. Retrying with the correct resource ref: $ kubectl -n istio-vt-t01 logs pod/idle-egressgw -c istio-proxy --since=2m | grep -ci mock || echo 'idle-egressgw saw 0 mock-related log lines (no VirtualService routes to it, so it never carried this traffic)' 0 idle-egressgw saw 0 mock-related log lines (no VirtualService routes to it, so it never carried this traffic)