=== T50: DNS refresh != liveness check verification === --- Namespace setup --- $ kubectl create namespace istio-vt-t50 && kubectl label namespace istio-vt-t50 istio-injection=enabled (done - see above) --- Apply manifest (client pod, echo deploy/svc, mock-deadport ServiceEntry) --- $ kubectl apply -f manifest.yaml pod/client configured deployment.apps/echo unchanged service/echo unchanged serviceentry.networking.istio.io/mock-deadport-se unchanged $ kubectl -n istio-vt-t50 wait --for=condition=Ready pod/client --timeout=90s pod/client condition met --- Command 2: phase1 - 10x curl to dead port 8199 (no outlierDetection yet) --- $ for i in $(seq 1 10); do kubectl -n istio-vt-t50 exec client -c istio-proxy -- curl -s -o /dev/null -w 'try %{http_code} ' --max-time 2 http://mock.istio-verify-ext.svc.homelab.local:8199/; sleep 1; done try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 --- Command 3: phase1 /clusters check (expect healthy, no outlier flags) --- $ kubectl -n istio-vt-t50 exec client -c istio-proxy -- curl -s 'localhost:15000/clusters' | grep 'outbound|8199||mock.istio-verify-ext.svc.homelab.local' outbound|8199||mock.istio-verify-ext.svc.homelab.local::observability_name::outbound|8199||mock.istio-verify-ext.svc.homelab.local; outbound|8199||mock.istio-verify-ext.svc.homelab.local::default_priority::max_connections::4294967295 outbound|8199||mock.istio-verify-ext.svc.homelab.local::default_priority::max_pending_requests::4294967295 outbound|8199||mock.istio-verify-ext.svc.homelab.local::default_priority::max_requests::4294967295 outbound|8199||mock.istio-verify-ext.svc.homelab.local::default_priority::max_retries::4294967295 outbound|8199||mock.istio-verify-ext.svc.homelab.local::high_priority::max_connections::1024 outbound|8199||mock.istio-verify-ext.svc.homelab.local::high_priority::max_pending_requests::1024 outbound|8199||mock.istio-verify-ext.svc.homelab.local::high_priority::max_requests::1024 outbound|8199||mock.istio-verify-ext.svc.homelab.local::high_priority::max_retries::3 outbound|8199||mock.istio-verify-ext.svc.homelab.local::added_via_api::true outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::cx_active::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::cx_connect_fail::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::cx_total::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::rq_active::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::rq_error::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::rq_success::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::rq_timeout::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::rq_total::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::hostname::mock.istio-verify-ext.svc.homelab.local outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::health_flags::healthy outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::weight::1 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::region:: outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::zone:: outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::sub_zone:: outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::canary::false outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::priority::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::success_rate::-1 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::local_origin_success_rate::-1 --- Command 4: apply DestinationRule with outlierDetection (splitExternalLocalOriginErrors, consecutiveLocalOriginFailures=3) --- $ kubectl apply -f - < uid=1337(istio-proxy) curl (app) container -> uid=100(curl_user) Istio's default iptables interception excludes traffic originating from UID 1337 (to avoid envoy looping into itself). Therefore curl exec'd inside the istio-proxy container NEVER transits the sidecar - it goes straight to the kernel/kube-proxy path, which silently blackholes SYNs to a ClusterIP:port with no matching Service port (undefined port 8199 on svc mock, which only defines 80/443). This produced 16/16 curl timeouts (exit 28) and PERMANENTLY-ZERO stats (cx_total=0, cx_connect_fail=0) on the envoy cluster 'outbound|8199||mock.istio-verify-ext.svc.homelab.local' in BOTH phase1 and phase2 checks above - envoy was never in the path, so outlierDetection could not have fired regardless of config. Confirmed with a single probe from the 'curl' app container (uid=100): got a clean http_code=503 in ~3.1s (envoy IS reachable and IS proxying/retrying/failing this traffic). Corrective action: re-running phase1/phase2 identically but via 'kubectl exec -c curl' (the actual client app container, uid=100) instead of '-c istio-proxy', so traffic actually traverses the sidecar as the test goal requires. Also removing DestinationRule for a clean phase1 baseline before applying it for phase2. === CORRECTED RUN (using -c curl, the app container) === --- Corrected phase1: 10x curl to dead port 8199, no outlierDetection --- $ for i in $(seq 1 10); do kubectl -n istio-vt-t50 exec client -c curl -- curl -s -o /dev/null -w 'try %{http_code} ' --max-time 3 http://mock.istio-verify-ext.svc.homelab.local:8199/; sleep 1; done try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 try 000 command terminated with exit code 28 --- Corrected phase1 /clusters check --- $ kubectl -n istio-vt-t50 exec client -c istio-proxy -- curl -s 'localhost:15000/clusters' | grep 'outbound|8199||mock.istio-verify-ext.svc.homelab.local' outbound|8199||mock.istio-verify-ext.svc.homelab.local::observability_name::outbound|8199||mock.istio-verify-ext.svc.homelab.local; outbound|8199||mock.istio-verify-ext.svc.homelab.local::default_priority::max_connections::4294967295 outbound|8199||mock.istio-verify-ext.svc.homelab.local::default_priority::max_pending_requests::4294967295 outbound|8199||mock.istio-verify-ext.svc.homelab.local::default_priority::max_requests::4294967295 outbound|8199||mock.istio-verify-ext.svc.homelab.local::default_priority::max_retries::4294967295 outbound|8199||mock.istio-verify-ext.svc.homelab.local::high_priority::max_connections::1024 outbound|8199||mock.istio-verify-ext.svc.homelab.local::high_priority::max_pending_requests::1024 outbound|8199||mock.istio-verify-ext.svc.homelab.local::high_priority::max_requests::1024 outbound|8199||mock.istio-verify-ext.svc.homelab.local::high_priority::max_retries::3 outbound|8199||mock.istio-verify-ext.svc.homelab.local::added_via_api::true outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::cx_active::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::cx_connect_fail::6 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::cx_total::6 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::rq_active::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::rq_error::2 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::rq_success::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::rq_timeout::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::rq_total::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::hostname::mock.istio-verify-ext.svc.homelab.local outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::health_flags::healthy outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::weight::1 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::region:: outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::zone:: outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::sub_zone:: outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::canary::false outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::priority::0 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::success_rate::-1 outbound|8199||mock.istio-verify-ext.svc.homelab.local::10.250.183.220:8199::local_origin_success_rate::-1 --- Corrected: re-apply DestinationRule with outlierDetection --- $ kubectl apply -f - <