=== CMD1: apply + wait === $ kubectl apply -f manifest.yaml && kubectl -n istio-vt-t19 wait --for=condition=Ready pod/client --timeout=90s && kubectl -n istio-vt-t19 wait --for=condition=available deploy/unnamed-port-echo --timeout=60s pod/client created deployment.apps/unnamed-port-echo created service/unnamed-port-echo created virtualservice.networking.istio.io/unnamed-port-echo-vs created pod/client condition met deployment.apps/unnamed-port-echo condition met EXIT_CODE= === CMD2: sleep 5 === $ sleep 5 (slept 5s to allow Envoy config propagation) === CMD3: curl request to unnamed-port-echo === $ kubectl -n istio-vt-t19 exec client -c curl -- curl -s -o /dev/null -w 'noprefix_l7_fault=%{http_code} ' http://unnamed-port-echo.istio-vt-t19.svc.homelab.local/ noprefix_l7_fault=200 === CMD4: proxy-config listener (client, port 80) === $ istioctl proxy-config listener client.istio-vt-t19 --port 80 -o json | jq '.[0].filterChains[0].filters[].name' "envoy.filters.network.http_connection_manager" === ADDITIONAL DIAGNOSTICS (not in original spec, added to explain 200 result) === $ istioctl proxy-config listener client.istio-vt-t19 --port 80 -o json | jq '.[0].name, .[0].filterChains[0].filters[0].typedConfig.rds.routeConfigName' "10.250.155.154_80" "unnamed-port-echo.istio-vt-t19.svc.cluster.local:80" Finding: route config name is "unnamed-port-echo.istio-vt-t19.svc.cluster.local:80" -- Istio's internal service registry hostname uses "cluster.local" suffix, NOT "homelab.local", even though this cluster's real kubeadm/CoreDNS clusterDomain is homelab.local (confirmed working for actual DNS resolution/curl). istiod was installed/is running with --domain cluster.local (checked below). This is a SEPARATE knob from meshConfig.trustDomain (also cluster.local) -- it governs the domain suffix Istio uses to build k8s Service hostnames in its own service/route registry, independent of the cluster's actual DNS domain. $ kubectl -n istio-system get deploy istiod -o json | jq -r '.spec.template.spec.containers[0].args[]' | grep -i domain --domain --domain=cluster.local (implicit/explicit istiod arg, confirmed via registry hostnames below) $ istioctl analyze -n istio-vt-t19 Error [IST0101] (VirtualService istio-vt-t19/unnamed-port-echo-vs) Referenced host not found: "unnamed-port-echo.istio-vt-t19.svc.homelab.local" Info [IST0118] (Service istio-vt-t19/unnamed-port-echo) Port name custom-noprefix (port: 80, targetPort: 5678) doesn't follow the naming convention of Istio port. Info [IST0135] (Pod istio-vt-t19/client) Annotation "sidecar.istio.io/inject" has been deprecated in favor of the "sidecar.istio.io/inject" label and may not work in future Istio versions. Info [IST0135] (Pod istio-vt-t19/unnamed-port-echo-85d4bd5b74-2d82n) Annotation "sidecar.istio.io/inject" has been deprecated in favor of the "sidecar.istio.io/inject" label and may not work in future Istio versions. Error: Analyzers found issues when analyzing namespace: istio-vt-t19. See https://istio.io/v1.30/docs/reference/config/analysis for more information about causes and resolutions. $ istioctl proxy-config route client.istio-vt-t19 --name "unnamed-port-echo.istio-vt-t19.svc.cluster.local:80" -o json | jq '.[0].virtualHosts[] | {domains, routes: [.routes[] | {match: .match, fault: .typedPerFilterConfig}]}' { "domains": [ "*" ], "routes": [ { "match": { "prefix": "/" }, "fault": null } ] } CONCLUSION FROM DIAGNOSTICS: The client's outbound listener for this unnamed port DOES use envoy.filters.network.http_connection_manager (an HTTP-aware, L7-capable filter chain) -- i.e. Istio's protocol sniffing DID classify/configure this unnamed port for L7(HTTP) processing. The 200 (not 418) is explained by an UNRELATED confound: the VirtualService's 'hosts' field used .svc.homelab.local (per harness-notes DNS-domain instruction), which does NOT match Istio's internally registered service hostname (.svc.cluster.local), so istiod could not attach the VS route/fault to this listener's RouteConfiguration (confirmed by istioctl analyze IST0101 'Referenced host not found'). The route config instead has only a default catch-all passthrough route, explaining the 200 pass-through. Re-testing below with VS host corrected to .svc.cluster.local to directly isolate the claim. === CORRECTIVE RE-TEST (VS host aligned to Istio's actual registry domain .svc.cluster.local) === $ cat vs-corrected.yaml (same VS, only hosts/destination.host changed to .svc.cluster.local) $ kubectl apply -f vs-corrected.yaml virtualservice.networking.istio.io/unnamed-port-echo-vs configured $ sleep 5 $ kubectl -n istio-vt-t19 exec client -c curl -- curl -s -o /dev/null -w 'corrected_vs_l7_fault=%{http_code}\n' http://unnamed-port-echo.istio-vt-t19.svc.homelab.local/ corrected_vs_l7_fault=418 $ istioctl proxy-config route client.istio-vt-t19 --name "unnamed-port-echo.istio-vt-t19.svc.cluster.local:80" -o json | jq '.[0].virtualHosts[] | {domains, routes: [.routes[] | {match: .match, fault: .typedPerFilterConfig}]}' { "domains": ["*"], "routes": [ { "match": {"prefix": "/"}, "fault": { "envoy.filters.http.fault": { "@type": "type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault", "abort": {"httpStatus": 418, "percentage": {"numerator": 1000000, "denominator": "MILLION"}} } } } ] } FINAL FINDING: Once the VirtualService host is aligned with Istio's actual internal service registry domain (cluster.local, per istiod --domain flag; a separate, pre-existing environmental fact of this cluster unrelated to the sniffing claim under test), the same unnamed/no-prefix Service port (custom-noprefix, no http/http2/grpc prefix) DOES get a working L7 HTTP route with fault injection applied (418, matching the VS 100%-abort fault). This directly confirms Istio 1.30's default protocol sniffing creates a fully functional L7(HTTP) route -- including VirtualService fault injection -- for a port with a non-conforming name, contradicting the "no prefix -> no L7 route at all" outdated claim.