=== CMD1: apply + wait (already done above, re-log confirmation) === error: there is no need to specify a resource type as a separate argument when passing arguments in resource/name form (e.g. 'kubectl get resource/' instead of 'kubectl get resource resource/' NAME READY STATUS RESTARTS AGE client 2/2 Running 0 19s NAME READY UP-TO-DATE AVAILABLE AGE echo 1/1 1 1 19s === CMD2: scale echo to 0 replicas === deployment.apps/echo scaled === CMD3: sleep 5 === slept 5s === CMD4: client curl to echo during 0 replicas === $ kubectl -n istio-vt-t62 exec client -c curl -- curl -s -o /dev/null -w 'during_zero_replicas=%{http_code} ' http://echo.istio-vt-t62.svc.homelab.local/ during_zero_replicas=503 === CMD5: config_dump dynamic_active_clusters grep count for outbound echo cluster === $ kubectl -n istio-vt-t62 exec client -c istio-proxy -- curl -s 'localhost:15000/config_dump?resource=dynamic_active_clusters' | grep -c 'outbound|80||echo' 18 === CMD6: /clusters grep for outbound echo (expect 0 healthy) === $ kubectl -n istio-vt-t62 exec client -c istio-proxy -- curl -s localhost:15000/clusters | grep 'outbound|80||echo' outbound|80||echo.istio-vt-t45.svc.cluster.local::observability_name::outbound|80||echo.istio-vt-t45.svc.cluster.local; outbound|80||echo.istio-vt-t45.svc.cluster.local::default_priority::max_connections::4294967295 outbound|80||echo.istio-vt-t45.svc.cluster.local::default_priority::max_pending_requests::4294967295 outbound|80||echo.istio-vt-t45.svc.cluster.local::default_priority::max_requests::4294967295 outbound|80||echo.istio-vt-t45.svc.cluster.local::default_priority::max_retries::4294967295 outbound|80||echo.istio-vt-t45.svc.cluster.local::high_priority::max_connections::1024 outbound|80||echo.istio-vt-t45.svc.cluster.local::high_priority::max_pending_requests::1024 outbound|80||echo.istio-vt-t45.svc.cluster.local::high_priority::max_requests::1024 outbound|80||echo.istio-vt-t45.svc.cluster.local::high_priority::max_retries::3 outbound|80||echo.istio-vt-t45.svc.cluster.local::added_via_api::true outbound|80||echo.istio-vt-t45.svc.cluster.local::eds_service_name::outbound|80||echo.istio-vt-t45.svc.cluster.local outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::cx_active::0 outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::cx_connect_fail::0 outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::cx_total::0 outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::rq_active::0 outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::rq_error::0 outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::rq_success::0 outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::rq_timeout::0 outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::rq_total::0 outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::hostname:: outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::health_flags::healthy outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::weight::1 outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::region:: outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::zone:: outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::sub_zone:: outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::canary::false outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::priority::0 outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::success_rate::-1 outbound|80||echo.istio-vt-t45.svc.cluster.local::10.255.194.126:8080::local_origin_success_rate::-1 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::observability_name::outbound|80||echo-netb.istio-vt-t45.svc.cluster.local; outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::default_priority::max_connections::4294967295 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::default_priority::max_pending_requests::4294967295 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::default_priority::max_requests::4294967295 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::default_priority::max_retries::4294967295 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::high_priority::max_connections::1024 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::high_priority::max_pending_requests::1024 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::high_priority::max_requests::1024 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::high_priority::max_retries::3 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::added_via_api::true outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::eds_service_name::outbound|80||echo-netb.istio-vt-t45.svc.cluster.local outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::cx_active::0 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::cx_connect_fail::0 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::cx_total::0 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::rq_active::0 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::rq_error::0 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::rq_success::0 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::rq_timeout::0 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::rq_total::0 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::hostname:: outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::health_flags::healthy outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::weight::1 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::region:: outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::zone:: outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::sub_zone:: outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::canary::false outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::priority::0 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::success_rate::-1 outbound|80||echo-netb.istio-vt-t45.svc.cluster.local::10.250.124.9:15443::local_origin_success_rate::-1 outbound|80||echo.istio-vt-t47.svc.cluster.local::observability_name::outbound|80||echo.istio-vt-t47.svc.cluster.local; outbound|80||echo.istio-vt-t47.svc.cluster.local::default_priority::max_connections::4294967295 outbound|80||echo.istio-vt-t47.svc.cluster.local::default_priority::max_pending_requests::4294967295 outbound|80||echo.istio-vt-t47.svc.cluster.local::default_priority::max_requests::4294967295 outbound|80||echo.istio-vt-t47.svc.cluster.local::default_priority::max_retries::4294967295 outbound|80||echo.istio-vt-t47.svc.cluster.local::high_priority::max_connections::1024 outbound|80||echo.istio-vt-t47.svc.cluster.local::high_priority::max_pending_requests::1024 outbound|80||echo.istio-vt-t47.svc.cluster.local::high_priority::max_requests::1024 outbound|80||echo.istio-vt-t47.svc.cluster.local::high_priority::max_retries::3 outbound|80||echo.istio-vt-t47.svc.cluster.local::added_via_api::true outbound|80||echo.istio-vt-t47.svc.cluster.local::eds_service_name::outbound|80||echo.istio-vt-t47.svc.cluster.local outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::cx_active::0 outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::cx_connect_fail::0 outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::cx_total::0 outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::rq_active::0 outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::rq_error::0 outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::rq_success::0 outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::rq_timeout::0 outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::rq_total::0 outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::hostname:: outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::health_flags::healthy outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::weight::1 outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::region:: outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::zone:: outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::sub_zone:: outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::canary::false outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::priority::0 outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::success_rate::-1 outbound|80||echo.istio-vt-t47.svc.cluster.local::10.255.159.177:8080::local_origin_success_rate::-1 outbound|80||echo.istio-vt-t62.svc.cluster.local::observability_name::outbound|80||echo.istio-vt-t62.svc.cluster.local; outbound|80||echo.istio-vt-t62.svc.cluster.local::default_priority::max_connections::4294967295 outbound|80||echo.istio-vt-t62.svc.cluster.local::default_priority::max_pending_requests::4294967295 outbound|80||echo.istio-vt-t62.svc.cluster.local::default_priority::max_requests::4294967295 outbound|80||echo.istio-vt-t62.svc.cluster.local::default_priority::max_retries::4294967295 outbound|80||echo.istio-vt-t62.svc.cluster.local::high_priority::max_connections::1024 outbound|80||echo.istio-vt-t62.svc.cluster.local::high_priority::max_pending_requests::1024 outbound|80||echo.istio-vt-t62.svc.cluster.local::high_priority::max_requests::1024 outbound|80||echo.istio-vt-t62.svc.cluster.local::high_priority::max_retries::3 outbound|80||echo.istio-vt-t62.svc.cluster.local::added_via_api::true outbound|80||echo.istio-vt-t62.svc.cluster.local::eds_service_name::outbound|80||echo.istio-vt-t62.svc.cluster.local outbound|80||echo.istio-vt-t50.svc.cluster.local::observability_name::outbound|80||echo.istio-vt-t50.svc.cluster.local; outbound|80||echo.istio-vt-t50.svc.cluster.local::default_priority::max_connections::4294967295 outbound|80||echo.istio-vt-t50.svc.cluster.local::default_priority::max_pending_requests::4294967295 outbound|80||echo.istio-vt-t50.svc.cluster.local::default_priority::max_requests::4294967295 outbound|80||echo.istio-vt-t50.svc.cluster.local::default_priority::max_retries::4294967295 outbound|80||echo.istio-vt-t50.svc.cluster.local::high_priority::max_connections::1024 outbound|80||echo.istio-vt-t50.svc.cluster.local::high_priority::max_pending_requests::1024 outbound|80||echo.istio-vt-t50.svc.cluster.local::high_priority::max_requests::1024 outbound|80||echo.istio-vt-t50.svc.cluster.local::high_priority::max_retries::3 outbound|80||echo.istio-vt-t50.svc.cluster.local::added_via_api::true outbound|80||echo.istio-vt-t50.svc.cluster.local::eds_service_name::outbound|80||echo.istio-vt-t50.svc.cluster.local outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::cx_active::0 outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::cx_connect_fail::0 outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::cx_total::0 outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::rq_active::0 outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::rq_error::0 outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::rq_success::0 outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::rq_timeout::0 outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::rq_total::0 outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::hostname:: outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::health_flags::healthy outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::weight::1 outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::region:: outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::zone:: outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::sub_zone:: outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::canary::false outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::priority::0 outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::success_rate::-1 outbound|80||echo.istio-vt-t50.svc.cluster.local::10.255.194.76:8080::local_origin_success_rate::-1 outbound|80||echo.istio-verify.svc.cluster.local::observability_name::outbound|80||echo.istio-verify.svc.cluster.local; outbound|80||echo.istio-verify.svc.cluster.local::default_priority::max_connections::4294967295 outbound|80||echo.istio-verify.svc.cluster.local::default_priority::max_pending_requests::4294967295 outbound|80||echo.istio-verify.svc.cluster.local::default_priority::max_requests::4294967295 outbound|80||echo.istio-verify.svc.cluster.local::default_priority::max_retries::4294967295 outbound|80||echo.istio-verify.svc.cluster.local::high_priority::max_connections::1024 outbound|80||echo.istio-verify.svc.cluster.local::high_priority::max_pending_requests::1024 outbound|80||echo.istio-verify.svc.cluster.local::high_priority::max_requests::1024 outbound|80||echo.istio-verify.svc.cluster.local::high_priority::max_retries::3 outbound|80||echo.istio-verify.svc.cluster.local::added_via_api::true outbound|80||echo.istio-verify.svc.cluster.local::eds_service_name::outbound|80||echo.istio-verify.svc.cluster.local outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::cx_active::0 outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::cx_connect_fail::0 outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::cx_total::0 outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::rq_active::0 outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::rq_error::0 outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::rq_success::0 outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::rq_timeout::0 outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::rq_total::0 outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::hostname:: outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::health_flags::healthy outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::weight::1 outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::region:: outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::zone:: outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::sub_zone:: outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::canary::false outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::priority::0 outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::success_rate::-1 outbound|80||echo.istio-verify.svc.cluster.local::10.255.194.105:8080::local_origin_success_rate::-1 NOTE: mesh has many other namespaces with 'echo' services (t45,t47,t50,istio-verify etc), so the spec grep pattern 'outbound|80||echo' (no namespace anchor) matches multiple unrelated clusters mesh-wide. Full raw /clusters output captured above; isolating just our namespace's cluster below for clarity: $ grep 'outbound|80||echo.istio-vt-t62.svc.cluster.local' on /clusters output outbound|80||echo.istio-vt-t62.svc.cluster.local::observability_name::outbound|80||echo.istio-vt-t62.svc.cluster.local; outbound|80||echo.istio-vt-t62.svc.cluster.local::default_priority::max_connections::4294967295 outbound|80||echo.istio-vt-t62.svc.cluster.local::default_priority::max_pending_requests::4294967295 outbound|80||echo.istio-vt-t62.svc.cluster.local::default_priority::max_requests::4294967295 outbound|80||echo.istio-vt-t62.svc.cluster.local::default_priority::max_retries::4294967295 outbound|80||echo.istio-vt-t62.svc.cluster.local::high_priority::max_connections::1024 outbound|80||echo.istio-vt-t62.svc.cluster.local::high_priority::max_pending_requests::1024 outbound|80||echo.istio-vt-t62.svc.cluster.local::high_priority::max_requests::1024 outbound|80||echo.istio-vt-t62.svc.cluster.local::high_priority::max_retries::3 outbound|80||echo.istio-vt-t62.svc.cluster.local::added_via_api::true outbound|80||echo.istio-vt-t62.svc.cluster.local::eds_service_name::outbound|80||echo.istio-vt-t62.svc.cluster.local CDS count specific to our ns cluster name in config_dump: 3 === CMD7: /stats grep upstream_cx_none_healthy for outbound echo === $ kubectl -n istio-vt-t62 exec client -c istio-proxy -- curl -s localhost:15000/stats | grep 'outbound|80||echo.*upstream_cx_none_healthy' === ANOMALY NOTE (discovered during CMD5-7 analysis, see detailed diagnostics below) === CMD7 (grep upstream_cx_none_healthy) returned EMPTY. Root-caused via two independent checks: (a) RDS dynamic_route_configs for port 80 vhost "echo.istio-vt-t62.svc.cluster.local:80" domains = [echo.istio-vt-t62.svc.cluster.local, echo.istio-vt-t62.svc.cluster.local., echo, echo.istio-vt-t62.svc, echo.istio-vt-t62, ] -- NOTE: does NOT include "echo.istio-vt-t62.svc.homelab.local" (the actual k8s DNS suffix per harness-notes.md). Istio's proxy clusterDomain (used to build RDS Host-header domains) defaults to "cluster.local" independent of the kubelet's real --cluster-domain=homelab.local, and this install was never reconfigured to match. Consequence: the CMD4 curl to http://echo.istio-vt-t62.svc.homelab.local/ sends Host: echo.istio-vt-t62.svc.homelab.local, which matches NO configured vhost domain, so Envoy's HCM falls through to the ALLOW_ANY default route -> PassthroughCluster (confirmed via istio_requests_total stat: destination_service_name=PassthroughCluster, response_flags=UF, response_code=503) instead of ever touching the named "outbound|80||echo.istio-vt-t62.svc.cluster.local" cluster's EDS-driven no-healthy-upstream path. (b) Bootstrap stats_config.stats_matcher.inclusion_list (Istio 1.30 sidecar default) only allows prefixes: reporter=, cluster_manager, listener_manager, server, cluster.xds-grpc, wasm, component, istio*, plus rbac/shadow suffixes and vhost.*.route.* regex. Generic "cluster..upstream_cx_none_healthy" for arbitrary outbound clusters is NOT in this list, so it is never exposed via GET /stats regardless of traffic -- confirmed only 1 unique cluster ("xds-grpc") appears under any "cluster.*" stat in the full /stats dump (132 lines, all under cluster.xds-grpc;.*), and the raw counter is genuinely absent (not merely zero). Diagnostic re-test using a Host header that DOES match RDS ("http://echo/", short name, still resolves correctly via k8s search-domain DNS) while replicas=0: $ kubectl -n istio-vt-t62 exec client -c curl -- curl -s -o /dev/null -w 'short_name_during_zero=%{http_code}\n' http://echo/ short_name_during_zero=503 $ ...stats... istio_requests_total{...destination_service_name.echo...response_flags.UH...}: 2 This confirms the underlying mechanism blog:xds-envoy_xds-api-layers#C4 describes (CDS alive + EDS empty -> 503 with response_flags=UH) IS real and reproducible -- but only when the Host header matches a domain Istio actually knows about. Using the environment's real k8s DNS FQDN suffix (homelab.local) silently detours the request to PassthroughCluster (UF) instead, and the literal Envoy stat named in this test's CMD7 (upstream_cx_none_healthy) is unconditionally filtered out of /stats by Istio's default stats_matcher -- the observable counter that actually carries the signal is the istio_requests_total custom metric tagged response_flags=UH, not the raw Envoy cluster stat. === CMD8: scale echo back to 1, wait rollout === deployment.apps/echo scaled Waiting for deployment "echo" rollout to finish: 0 of 1 updated replicas are available... deployment "echo" successfully rolled out === CMD9: sleep 5 === slept === CMD10: client curl to echo after recovery === $ kubectl -n istio-vt-t62 exec client -c curl -- curl -s -o /dev/null -w 'after_recovery=%{http_code} ' http://echo.istio-vt-t62.svc.homelab.local/ after_recovery=200 === CMD11: diff istioctl proxy-config cluster names vs raw config_dump cluster names === $ diff <(istioctl proxy-config cluster client.istio-vt-t62 -o json | jq -r '.[].name' | sort) <(kubectl exec ... config_dump | jq -r '.configs[].cluster.name' | sort) 1d0 < agent 55,57d53 < prometheus_stats < sds-grpc < xds-grpc diff_exit_code=1 === ANOMALY CLARIFICATION (CMD11 diff analysis) === The literal CMD11 diff (istioctl proxy-config cluster vs config_dump?resource=dynamic_active_clusters) was non-empty: istioctl showed 4 extra names (agent, prometheus_stats, sds-grpc, xds-grpc). Root cause: these 4 are exactly the config_dump's "static_clusters" section (bootstrap-defined, not delivered via CDS) -- confirmed via GET /config_dump (no resource filter): static_clusters = [agent, prometheus_stats, sds-grpc, xds-grpc] (4) dynamic_active_clusters count = 53 istioctl proxy-config cluster (no filter) shows the UNION of both (57 total). Re-comparing as SETS: istioctl_names (57) vs (static_clusters + dynamic_active_clusters from full config_dump) (57) => IDENTICAL, 0 difference either direction. The originally reported diff was a scope mismatch in the spec's own command (it restricted config_dump to resource=dynamic_active_clusters, deliberately excluding the 4 static ones that istioctl includes by default), not a genuine disagreement between istioctl's rendering and the pod's raw xDS state. === CMD12: localhost:15000/stats admin http code === localhost_admin=200 === CMD13: get client pod IP === CLIENT_IP=10.255.126.23 === CMD14: cross-pod admin API access attempt (echo's istio-proxy -> client pod IP:15000) === crosspod_admin_attempt=503 cross_pod_exit=0 === DIRECT VERIFICATION: socket bind addresses inside client's istio-proxy container === $ kubectl -n istio-vt-t62 exec client -c istio-proxy -- ss -tln LISTEN 0 4096 0.0.0.0:15021 0.0.0.0:* LISTEN 0 4096 0.0.0.0:15021 0.0.0.0:* LISTEN 0 4096 0.0.0.0:15006 0.0.0.0:* LISTEN 0 4096 0.0.0.0:15006 0.0.0.0:* LISTEN 0 4096 0.0.0.0:15001 0.0.0.0:* LISTEN 0 4096 0.0.0.0:15001 0.0.0.0:* LISTEN 0 4096 0.0.0.0:15090 0.0.0.0:* LISTEN 0 4096 0.0.0.0:15090 0.0.0.0:* LISTEN 0 4096 127.0.0.1:15000 0.0.0.0:* => 15000 (admin) is bound ONLY to 127.0.0.1 (loopback). 15021/15001/15006/15090 are all bound to 0.0.0.0 (reachable via Pod IP). This directly and unambiguously confirms admin API loopback-only binding, independent of the cross-pod curl outcome below. === CMD15: port 15021 healthz/ready from client's istio-proxy === port_15021=200 === CMD16: 15000/help count of drain_listeners === 1 === CMD17: 15021/clusters (expect 404, not an admin endpoint on this port) === admin_op_on_15021=404