### kubectl create namespace istio-vt-t63 namespace/istio-vt-t63 created ### kubectl label namespace istio-vt-t63 istio-injection=enabled namespace/istio-vt-t63 labeled ### kubectl apply -f manifest.yaml pod/client created deployment.apps/echo created service/echo created pod/nonhttp-target created service/nonhttp-target created Warning: configured AuthorizationPolicy will deny all traffic to TCP ports under its scope due to the use of only HTTP attributes in a DENY rule; it is recommended to explicitly specify the port authorizationpolicy.security.istio.io/deny-path-on-nonhttp created ### kubectl -n istio-vt-t63 wait --for=condition=Ready pod/client pod/nonhttp-target --timeout=90s pod/client condition met pod/nonhttp-target condition met ### kubectl -n istio-vt-t63 rollout status deploy/echo --timeout=120s deployment "echo" successfully rolled out ### kubectl -n istio-vt-t63 get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 13s 10.255.159.191 k8s-master1 echo-5767bbcc56-xkwqh 2/2 Running 0 13s 10.255.126.24 k8s-worker2 nonhttp-target 2/2 Running 0 13s 10.255.194.86 k8s-worker1 ### CMD1: istioctl proxy-config listener deploy/echo.istio-vt-t63 --port 8080 -o json | jq '.[0].filterChains[0].filters[] | .name' "envoy.filters.network.http_connection_manager" ### CMD2: istioctl proxy-config listener deploy/echo.istio-vt-t63 --port 8080 -o json | jq select http_connection_manager httpFilters names "istio.metadata_exchange" "envoy.filters.http.grpc_stats" "istio.alpn" "envoy.filters.http.fault" "envoy.filters.http.cors" "istio.stats" "envoy.filters.http.router" ### sleep 5 ### CMD4: istioctl proxy-config listener client.istio-vt-t63 --port 9292 -o json | jq '.[0].filterChains[0].filters[].name' "istio.stats" "envoy.filters.network.tcp_proxy" ### CMD5: kubectl -n istio-vt-t63 exec client -c curl -- curl ... http://nonhttp-target.istio-vt-t63.svc.homelab.local:9292/blocked-path-should-not-matter l7_policy_on_nonhttp=000 command terminated with exit code 52 ### DEBUG: retry with -v * Host nonhttp-target.istio-vt-t63.svc.homelab.local:9292 was resolved. * IPv6: (none) * IPv4: 10.250.34.213 * Trying 10.250.34.213:9292... * Connected to nonhttp-target.istio-vt-t63.svc.homelab.local (10.250.34.213) port 9292 * using HTTP/1.x > GET /blocked-path-should-not-matter HTTP/1.1 > Host: nonhttp-target.istio-vt-t63.svc.homelab.local:9292 > User-Agent: curl/8.14.1 > Accept: */* > * Request completely sent off * Empty reply from server * shutting down connection #0 l7_policy_on_nonhttp=000 command terminated with exit code 52 ### DEBUG: DNS resolution check 10.250.34.213 nonhttp-target.istio-vt-t63.svc.homelab.local nonhttp-target.istio-vt-t63.svc.homelab.local ### DEBUG: inbound listener filters on nonhttp-target pod (server side) port 9292 "istio.stats" "envoy.filters.network.tcp_proxy" ### DEBUG: RBAC filter config on nonhttp-target inbound listener ### DEBUG: full inbound listener config search for rbac (all filterChains) [ "istio.stats", "envoy.filters.network.tcp_proxy" ] ---- filterChains count ---- 1 ---- grep rbac in whole doc ---- ### DEBUG: nonhttp-target istio-proxy logs (last 30 lines) serviceCluster: istio-proxy statNameLength: 189 statusPort: 15020 terminationDrainDuration: 5s 2026-07-05T00:03:25.000225Z info JWT policy is third-party-jwt 2026-07-05T00:03:25.000227Z info using credential fetcher of JWT type in cluster.local trust domain 2026-07-05T00:03:25.201788Z info Opening status port 15020 2026-07-05T00:03:25.201802Z info Starting default Istio SDS Server 2026-07-05T00:03:25.202220Z info CA Endpoint istiod.istio-system.svc:15012, provider Citadel 2026-07-05T00:03:25.202291Z info Using CA istiod.istio-system.svc:15012 cert with certs: var/run/secrets/istio/root-cert.pem 2026-07-05T00:03:25.202922Z info xdsproxy Initializing with upstream address "istiod.istio-system.svc:15012" and cluster "Kubernetes" 2026-07-05T00:03:25.203201Z info sds Starting SDS grpc server 2026-07-05T00:03:25.203218Z info sds Starting SDS server for workload certificates, will listen on "var/run/secrets/workload-spiffe-uds/socket" 2026-07-05T00:03:25.204625Z info Pilot SAN: [istiod.istio-system.svc] 2026-07-05T00:03:25.205464Z info Starting proxy agent 2026-07-05T00:03:25.205574Z info Envoy command: [-c etc/istio/proxy/envoy-rev.json --drain-time-s 45 --drain-strategy immediate --local-address-ip-version v4 --file-flush-interval-msec 1000 --disable-hot-restart --allow-unknown-static-fields -l warning --component-log-level misc:error --skip-deprecated-logs --concurrency 2] 2026-07-05T00:03:25.270639Z info xdsproxy connected to delta upstream XDS server: istiod.istio-system.svc:15012 id=1 2026-07-05T00:03:25.320915Z info ads ADS: new connection for node:1 2026-07-05T00:03:25.321916Z info ads ADS: new connection for node:2 2026-07-05T00:03:25.336562Z info cache generated new workload certificate resourceName=default latency=133.234186ms ttl=23h59m59.663442861s 2026-07-05T00:03:25.336709Z info cache Root cert has changed, start rotating root cert 2026-07-05T00:03:25.336744Z info cache returned workload trust anchor from cache ttl=23h59m59.663256361s 2026-07-05T00:03:25.336825Z info cache returned workload certificate from cache ttl=23h59m59.663191499s 2026-07-05T00:03:25.337162Z info cache returned workload trust anchor from cache ttl=23h59m59.662838717s 2026-07-05T00:03:25.337408Z info cache returned workload trust anchor from cache ttl=23h59m59.662593195s 2026-07-05T00:03:26.642992Z info Readiness succeeded in 1.649003786s 2026-07-05T00:03:26.643430Z info Envoy proxy is ready [2026-07-05T00:04:17.801Z] "- - -" 0 - - rbac_access_denied_matched_policy[ns[istio-vt-t63]-policy[deny-path-on-nonhttp]-rule[0]] "-" 637 542 11 - "-" "-" "-" "-" "10.255.194.86:9292" inbound|9292|| 127.0.0.6:58343 10.255.194.86:9292 10.255.159.191:57916 outbound_.9292_._.nonhttp-target.istio-vt-t63.svc.cluster.local - [2026-07-05T00:04:27.490Z] "- - -" 0 - - rbac_access_denied_matched_policy[ns[istio-vt-t63]-policy[deny-path-on-nonhttp]-rule[0]] "-" 637 542 3 - "-" "-" "-" "-" "10.255.194.86:9292" inbound|9292|| 127.0.0.6:34967 10.255.194.86:9292 10.255.159.191:60574 outbound_.9292_._.nonhttp-target.istio-vt-t63.svc.cluster.local - ### DEBUG: nonhttp-target raw container logs (last 20 lines) 2026/07/05 00:03:24 Server is listening on :9292 ### DEBUG: full listener dump (no port filter) search for rbac filter + its typedConfig [ null, "istio.stats", "envoy.filters.network.tcp_proxy", 15006, "istio.metadata_exchange", "istio.stats", "envoy.filters.network.tcp_proxy", null, "istio.metadata_exchange", "envoy.filters.network.http_connection_manager", null, "istio.metadata_exchange", "envoy.filters.network.http_connection_manager", null, "istio.metadata_exchange", "envoy.filters.network.rbac", "istio.stats", "envoy.filters.network.tcp_proxy", null, "istio.metadata_exchange", "envoy.filters.network.rbac", "istio.stats", "envoy.filters.network.tcp_proxy", null, "istio.metadata_exchange", "envoy.filters.network.rbac", "istio.stats", "envoy.filters.network.tcp_proxy", 9292, "istio.metadata_exchange", "envoy.filters.network.rbac", "istio.stats", "envoy.filters.network.tcp_proxy", 9292, "istio.metadata_exchange", "envoy.filters.network.rbac", "istio.stats", "envoy.filters.network.tcp_proxy", 9292, "istio.metadata_exchange", "envoy.filters.network.rbac", "istio.stats", "envoy.filters.network.tcp_proxy" ] ### CONFIRM: re-run exact spec CMD5 once more for determinism l7_policy_on_nonhttp=000 command terminated with exit code 52 ### CONFIRM: sanity check without the blocked path (baseline non-mesh-blocked path) still denied? (informational only) baseline_no_path=000 command terminated with exit code 52 ### EVIDENCE: istio-proxy access log on nonhttp-target confirming rbac denial (tail) 2026-07-05T00:03:25.337162Z info cache returned workload trust anchor from cache ttl=23h59m59.662838717s 2026-07-05T00:03:25.337408Z info cache returned workload trust anchor from cache ttl=23h59m59.662593195s 2026-07-05T00:03:26.642992Z info Readiness succeeded in 1.649003786s 2026-07-05T00:03:26.643430Z info Envoy proxy is ready [2026-07-05T00:04:17.801Z] "- - -" 0 - - rbac_access_denied_matched_policy[ns[istio-vt-t63]-policy[deny-path-on-nonhttp]-rule[0]] "-" 637 542 11 - "-" "-" "-" "-" "10.255.194.86:9292" inbound|9292|| 127.0.0.6:58343 10.255.194.86:9292 10.255.159.191:57916 outbound_.9292_._.nonhttp-target.istio-vt-t63.svc.cluster.local - [2026-07-05T00:04:27.490Z] "- - -" 0 - - rbac_access_denied_matched_policy[ns[istio-vt-t63]-policy[deny-path-on-nonhttp]-rule[0]] "-" 637 542 3 - "-" "-" "-" "-" "10.255.194.86:9292" inbound|9292|| 127.0.0.6:34967 10.255.194.86:9292 10.255.159.191:60574 outbound_.9292_._.nonhttp-target.istio-vt-t63.svc.cluster.local - ### EVIDENCE: kubectl apply warning captured earlier for AuthorizationPolicy (from apply step above): 'configured AuthorizationPolicy will deny all traffic to TCP ports under its scope due to the use of only HTTP attributes in a DENY rule; it is recommended to explicitly specify the port' ### EVIDENCE (recheck): istio-proxy access log tail=10 after extra wait 2026-07-05T00:03:25.336744Z info cache returned workload trust anchor from cache ttl=23h59m59.663256361s 2026-07-05T00:03:25.336825Z info cache returned workload certificate from cache ttl=23h59m59.663191499s 2026-07-05T00:03:25.337162Z info cache returned workload trust anchor from cache ttl=23h59m59.662838717s 2026-07-05T00:03:25.337408Z info cache returned workload trust anchor from cache ttl=23h59m59.662593195s 2026-07-05T00:03:26.642992Z info Readiness succeeded in 1.649003786s 2026-07-05T00:03:26.643430Z info Envoy proxy is ready [2026-07-05T00:04:17.801Z] "- - -" 0 - - rbac_access_denied_matched_policy[ns[istio-vt-t63]-policy[deny-path-on-nonhttp]-rule[0]] "-" 637 542 11 - "-" "-" "-" "-" "10.255.194.86:9292" inbound|9292|| 127.0.0.6:58343 10.255.194.86:9292 10.255.159.191:57916 outbound_.9292_._.nonhttp-target.istio-vt-t63.svc.cluster.local - [2026-07-05T00:04:27.490Z] "- - -" 0 - - rbac_access_denied_matched_policy[ns[istio-vt-t63]-policy[deny-path-on-nonhttp]-rule[0]] "-" 637 542 3 - "-" "-" "-" "-" "10.255.194.86:9292" inbound|9292|| 127.0.0.6:34967 10.255.194.86:9292 10.255.159.191:60574 outbound_.9292_._.nonhttp-target.istio-vt-t63.svc.cluster.local - [2026-07-05T00:06:30.031Z] "- - -" 0 - - rbac_access_denied_matched_policy[ns[istio-vt-t63]-policy[deny-path-on-nonhttp]-rule[0]] "-" 637 542 1 - "-" "-" "-" "-" "10.255.194.86:9292" inbound|9292|| 127.0.0.6:36771 10.255.194.86:9292 10.255.159.191:53740 outbound_.9292_._.nonhttp-target.istio-vt-t63.svc.cluster.local - [2026-07-05T00:06:30.128Z] "- - -" 0 - - rbac_access_denied_matched_policy[ns[istio-vt-t63]-policy[deny-path-on-nonhttp]-rule[0]] "-" 607 542 1 - "-" "-" "-" "-" "10.255.194.86:9292" inbound|9292|| 127.0.0.6:45723 10.255.194.86:9292 10.255.159.191:53744 outbound_.9292_._.nonhttp-target.istio-vt-t63.svc.cluster.local -