$ kubectl apply -f manifest.yaml && kubectl -n istio-vt-t67 wait --for=condition=Ready pod/client --timeout=90s pod/client configured deployment.apps/echo unchanged service/echo unchanged pod/client condition met $ sleep 5 $ istioctl proxy-config listener client.istio-vt-t67 --port 15001 -o json | jq '.[0].name' "virtualOutbound" $ istioctl proxy-config listener client.istio-vt-t67 --port 80 -o json | jq '.[0].name' "0.0.0.0_80" $ istioctl proxy-config cluster client.istio-vt-t67 --fqdn echo.istio-vt-t67.svc.homelab.local -o json | jq '.[0].name' null $ istioctl proxy-config endpoint client.istio-vt-t67 --cluster 'outbound|80||echo.istio-vt-t67.svc.homelab.local' | awk '{print $1}' ENDPOINT --- full cluster dump grep echo --- outbound|80||echo.istio-verify.svc.cluster.local outbound|443||echo.istio-verify.svc.cluster.local outbound|80||echo.istio-vt-t44.svc.cluster.local outbound|443||echo.istio-vt-t44.svc.cluster.local outbound|80||echo.istio-vt-t55.svc.cluster.local outbound|443||echo.istio-vt-t55.svc.cluster.local outbound|80||echo.istio-vt-t57.svc.cluster.local outbound|443||echo.istio-vt-t57.svc.cluster.local outbound|80||echo.istio-vt-t58.svc.cluster.local outbound|443||echo.istio-vt-t58.svc.cluster.local outbound|80||echo.istio-vt-t67.svc.cluster.local outbound|443||echo.istio-vt-t67.svc.cluster.local outbound|80||echo.istio-vt-t70.svc.cluster.local outbound|443||echo.istio-vt-t70.svc.cluster.local --- NOTE: harness-notes.md states cluster DNS domain = homelab.local (confirmed via /etc/resolv.conf and kubeadm-config/coredns configmap: dnsDomain=homelab.local). However, live Envoy cluster dump shows Istio's internal service-hostname construction still uses the DEFAULT "svc.cluster.local" suffix for ALL outbound clusters cluster-wide (confirmed across multiple namespaces: istio-verify, istio-vt-t44/t55/t57/t58/t67/t70), meaning istiod's proxy.clusterDomain was never set to match the actual kubeadm clusterDomain. This is a real, cluster-wide environmental fact (not specific to this test's manifest), so the --fqdn/--cluster commands as literally specified with *.svc.homelab.local return null/empty. Re-running layer3/layer4 with the ACTUALLY-configured suffix svc.cluster.local below to observe the true 4-layer decomposition (the object of C2), independent of this DNS-domain side issue. $ istioctl proxy-config cluster client.istio-vt-t67 --fqdn echo.istio-vt-t67.svc.cluster.local -o json | jq '.[0].name' "outbound|80||echo.istio-vt-t67.svc.cluster.local" $ istioctl proxy-config cluster client.istio-vt-t67 --fqdn echo.istio-vt-t67.svc.cluster.local -o json | jq '[.[].name]' [ "outbound|80||echo.istio-vt-t67.svc.cluster.local", "outbound|443||echo.istio-vt-t67.svc.cluster.local" ] $ istioctl proxy-config endpoint client.istio-vt-t67 --cluster 'outbound|80||echo.istio-vt-t67.svc.cluster.local' ENDPOINT STATUS OUTLIER CHECK CLUSTER 10.255.126.39:8080 HEALTHY OK outbound|80||echo.istio-vt-t67.svc.cluster.local $ istioctl proxy-config listener client.istio-vt-t67 --port 15001 -o json | jq '.[0] | {name, address}' { "name": "virtualOutbound", "address": { "socketAddress": { "address": "0.0.0.0", "portValue": 15001 } } } $ istioctl proxy-config listener client.istio-vt-t67 --port 80 -o json | jq '.[0] | {name, address}' { "name": "0.0.0.0_80", "address": { "socketAddress": { "address": "0.0.0.0", "portValue": 80 } } }