=== CMD: kubectl apply -f client-echo.yaml && kubectl -n istio-vt-t36 wait --for=condition=Ready pod/client --timeout=90s === pod/client created deployment.apps/echo created service/echo created pod/client condition met === EXTRA: wait for echo deployment rollout (not in spec commands, but needed for sidecar injection to complete) === deployment "echo" successfully rolled out === EXTRA: pod status check (2/2 expected for sidecar injection) === NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 13s 10.255.126.33 k8s-worker2 echo-5767bbcc56-9f5mm 2/2 Running 0 13s 10.255.159.185 k8s-master1 === CMD: kubectl apply -f ns-wide-sidecar.yaml === sidecar.networking.istio.io/ns-wide-broad created === CMD: sleep 5 === === CMD: istioctl proxy-config cluster client.istio-vt-t36 2>/dev/null | grep -c 'istio-system' ; echo 'above should be > 0 (ns-wide default allows istio-system)' === 11 above should be > 0 (ns-wide default allows istio-system) === CMD: kubectl apply -f workload-narrow-sidecar.yaml === sidecar.networking.istio.io/workload-narrow created === CMD: sleep 5 === === CMD: istioctl proxy-config cluster client.istio-vt-t36 2>/dev/null | grep -c 'istio-system' ; echo 'above should be 0 now (workload Sidecar overrides, does not inherit ns-wide istio-system entry)' === 0 above should be 0 now (workload Sidecar overrides, does not inherit ns-wide istio-system entry) === CMD: istioctl proxy-config cluster client.istio-vt-t36 2>/dev/null | tail -n +2 | wc -l # sanity: cluster count still non-zero (istio-vt-t36/echo still reachable) === 9 === EXTRA EVIDENCE: full cluster listing after workload-narrow sidecar applied === SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE BlackHoleCluster - - - STATIC InboundPassthroughCluster - - - ORIGINAL_DST PassthroughCluster - - - ORIGINAL_DST agent - - - STATIC echo.istio-vt-t36.svc.cluster.local 80 - outbound EDS echo.istio-vt-t36.svc.cluster.local 443 - outbound EDS prometheus_stats - - - STATIC sds-grpc - - - STATIC xds-grpc - - - STATIC === EXTRA EVIDENCE: Sidecar resources in namespace === NAME AGE ns-wide-broad 28s workload-narrow 12s