$ kubectl apply -f manifest.yaml pod/client created deployment.apps/echo created service/echo created pod/tcp-target created service/tcp-target created authorizationpolicy.security.istio.io/deny-client-on-echo created authorizationpolicy.security.istio.io/deny-client-on-tcp-target created $ kubectl -n istio-vt-t11-r2 wait --for=condition=Ready pod/client --timeout=90s pod/client condition met $ kubectl -n istio-vt-t11-r2 wait --for=condition=Ready pod/tcp-target --timeout=60s pod/tcp-target condition met $ kubectl -n istio-vt-t11-r2 rollout status deploy/echo --timeout=90s deployment "echo" successfully rolled out $ kubectl -n istio-vt-t11-r2 get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 7s 10.255.194.123 k8s-worker1 echo-5767bbcc56-v6dww 2/2 Running 0 7s 10.255.126.14 k8s-worker2 tcp-target 2/2 Running 0 7s 10.255.194.116 k8s-worker1 $ sleep 5 (settle for AuthorizationPolicy propagation) $ kubectl -n istio-vt-t11-r2 exec client -c curl -- curl -s -o /dev/null -w 'l7_deny=%{http_code} ' http://echo.istio-vt-t11-r2/ (CORRECTED: SHORT name) l7_deny=403 $ kubectl -n istio-vt-t11-r2 logs echo-5767bbcc56-v6dww -c istio-proxy --since=20s | tail -5 2026-07-05T00:56:27.208194Z info Readiness succeeded in 1.694691698s 2026-07-05T00:56:27.208497Z info Envoy proxy is ready [2026-07-05T00:56:40.936Z] "GET / HTTP/1.1" 403 - rbac_access_denied_matched_policy[ns[istio-vt-t11-r2]-policy[deny-client-on-echo]-rule[0]] - "-" 0 19 0 - "-" "curl/8.14.1" "2f450cac-2ba3-40df-ba87-99c4065d0f03" "echo.istio-vt-t11-r2" "-" inbound|8080|| - 10.255.126.14:8080 10.255.194.123:33198 outbound_.80_._.echo.istio-vt-t11-r2.svc.cluster.local default $ kubectl -n istio-vt-t11-r2 exec client -c curl -- curl -s -o /dev/null -w 'l4_deny_code=%{http_code} ' --max-time 4 http://tcp-target.istio-vt-t11-r2:9090/ (CORRECTED: SHORT name) ; echo l4_deny_exit=$? l4_deny_code=000 l4_deny_exit=52 $ kubectl -n istio-vt-t11-r2 logs tcp-target -c istio-proxy --since=20s | tail -5 [2026-07-05T00:56:57.552Z] "- - -" 0 - - rbac_access_denied_matched_policy[ns[istio-vt-t11-r2]-policy[deny-client-on-tcp-target]-rule[0]] "-" 600 530 6 - "-" "-" "-" "-" "10.255.194.116:9090" inbound|9090|| 127.0.0.6:51849 10.255.194.116:9090 10.255.194.123:37502 outbound_.9090_._.tcp-target.istio-vt-t11-r2.svc.cluster.local - === supplemental diagnostic: confirm short name matches Pilot-generated VirtualHost domains === $ istioctl proxy-config route client.istio-vt-t11-r2 --name 80 -o json | jq '.[].virtualHosts[] | select(.name | contains("echo")) | {name, domains}' { "name": "echo.istio-verify.svc.cluster.local:80", "domains": [ "echo.istio-verify.svc.cluster.local", "echo.istio-verify.svc.cluster.local.", "echo.istio-verify", "echo.istio-verify.svc", "10.250.152.233" ] } { "name": "echo.istio-vt-t11-r2.svc.cluster.local:80", "domains": [ "echo.istio-vt-t11-r2.svc.cluster.local", "echo.istio-vt-t11-r2.svc.cluster.local.", "echo", "echo.istio-vt-t11-r2.svc", "echo.istio-vt-t11-r2", "10.250.194.104" ] } --- cleanup: deleting namespace istio-vt-t11-r2 --- namespace "istio-vt-t11-r2" deleted