+ kubectl apply -f client-echo.yaml -f client-b-ns.yaml && kubectl -n istio-vt-t37 wait --for=condition=Ready pod/client --timeout=90s && kubectl -n istio-vt-t37-b wait --for=condition=Ready pod/client-b --timeout=90s pod/client created deployment.apps/echo created service/echo created namespace/istio-vt-t37-b created pod/client-b created pod/client condition met pod/client-b condition met + kubectl -n istio-vt-t37 rollout status deploy/echo --timeout=120s deployment "echo" successfully rolled out + kubectl -n istio-vt-t37 get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 9s 10.255.126.10 k8s-worker2 echo-5767bbcc56-94bcv 2/2 Running 0 9s 10.255.194.124 k8s-worker1 + kubectl -n istio-vt-t37-b get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client-b 2/2 Running 0 9s 10.255.194.123 k8s-worker1 + kubectl apply -f scoped-mock-se.yaml serviceentry.networking.istio.io/scoped-mock-se created + sleep 5 + istioctl proxy-config cluster client.istio-vt-t37 --fqdn mock.istio-verify-ext.svc.homelab.local -o json 2>/dev/null | jq length # expect >0 (visible in own ns) 1 + istioctl proxy-config cluster client-b.istio-vt-t37-b --fqdn mock.istio-verify-ext.svc.homelab.local -o json 2>/dev/null | jq length # expect 0 (not visible cross-namespace) 1 + NOTE: raw --fqdn-only jq length above was contaminated by a concurrent test's ServiceEntry (hop-gw-mock-se in ns istio-vt-t47, port 443, same shared host mock.istio-verify-ext...). Re-checking with --port 80 to isolate visibility of OUR ServiceEntry (scoped-mock-se, port 80): + istioctl proxy-config cluster client.istio-vt-t37 --fqdn mock.istio-verify-ext.svc.homelab.local --port 80 -o json | jq length 1 + istioctl proxy-config cluster client-b.istio-vt-t37-b --fqdn mock.istio-verify-ext.svc.homelab.local --port 80 -o json | jq length 0 + kubectl -n istio-vt-t37-b exec client-b -c curl -- curl -s -o /dev/null -w 'crossns_before_vs=%{http_code} ' http://echo.istio-vt-t37.svc.homelab.local/ crossns_before_vs=200 + kubectl apply -f leaky-vs-no-exportto.yaml virtualservice.networking.istio.io/leaky-vs-no-exportto created + sleep 5 + kubectl -n istio-vt-t37-b exec client-b -c curl -- curl -s -o /dev/null -w 'crossns_after_vs_leak=%{http_code} ' http://echo.istio-vt-t37.svc.homelab.local/ crossns_after_vs_leak=599 + kubectl -n istio-vt-t37 patch virtualservice leaky-vs-no-exportto --type merge -p '{"spec":{"exportTo":["."]}}' virtualservice.networking.istio.io/leaky-vs-no-exportto patched + sleep 5 + kubectl -n istio-vt-t37-b exec client-b -c curl -- curl -s -o /dev/null -w 'crossns_after_exportto_dot=%{http_code} ' http://echo.istio-vt-t37.svc.homelab.local/ crossns_after_exportto_dot=200