=== T60 test execution log === namespace: istio-vt-t60 Sun Jul 5 09:14:54 AM KST 2026 $ kubectl apply -f manifest.yaml pod/client configured deployment.apps/echo unchanged service/echo unchanged authorizationpolicy.security.istio.io/deny-selector-on-client unchanged $ kubectl -n istio-vt-t60 wait --for=condition=Ready pod/client --timeout=90s pod/client condition met $ kubectl -n istio-vt-t60 rollout status deployment/echo --timeout=90s deployment "echo" successfully rolled out $ kubectl -n istio-vt-t60 get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 20s 10.255.126.50 k8s-worker2 echo-5767bbcc56-c2ctt 2/2 Running 0 20s 10.255.126.49 k8s-worker2 --- deny-selector-on-client AuthorizationPolicy already applied as part of manifest.yaml --- NAME ACTION AGE deny-selector-on-client DENY 20s $ sleep 5 $ kubectl -n istio-vt-t60 exec client -c curl -- curl -s -o /dev/null -w 'deny_selector_client=%{http_code} ' http://echo.istio-vt-t60.svc.homelab.local/ deny_selector_client=200 $ kubectl delete authorizationpolicy deny-selector-on-client -n istio-vt-t60 authorizationpolicy.security.istio.io "deny-selector-on-client" deleted from istio-vt-t60 namespace $ kubectl apply -f deny-selector-on-echo.yaml authorizationpolicy.security.istio.io/deny-selector-on-echo created $ sleep 5 $ kubectl -n istio-vt-t60 exec client -c curl -- curl -s -o /dev/null -w 'deny_selector_echo=%{http_code} ' http://echo.istio-vt-t60.svc.homelab.local/ deny_selector_echo=200 === end === === follow-up: initial post-apply curl (5s wait) returned 200 for deny_selector_echo; === === this appears to be config-propagation lag (Envoy had not yet received the updated === === RBAC filter from istiod). Retried after additional wait: === $ sleep 8; kubectl -n istio-vt-t60 exec client -c curl -- curl -s -o /dev/null -w 'deny_selector_echo_retry=%{http_code}\n' http://echo.istio-vt-t60.svc.homelab.local/ deny_selector_echo_retry=403 $ kubectl -n istio-vt-t60 exec client -c curl -- curl -s -o /dev/null -w 'deny_selector_echo_confirm=%{http_code}\n' http://echo.istio-vt-t60.svc.homelab.local/ deny_selector_echo_confirm=403 $ kubectl -n istio-vt-t60 exec client -c curl -- curl -s http://echo.istio-vt-t60.svc.homelab.local/ RBAC: access denied === conclusion: after full config propagation (~13s total from apply), deny_selector_echo=403 as expected. ===