=== CMD: kubectl -n istio-vt-t75 wait --for=condition=Ready pod/client-netdiag --timeout=90s === pod/client-netdiag condition met === RC: 0 === === CMD: kubectl -n istio-vt-t75 exec client-netdiag -c curl -- env | grep -i proxy || echo 'no proxy env vars set on app container' === no proxy env vars set on app container === RC: 0 === === CMD: kubectl -n istio-vt-t75 exec client-netdiag -c curl -- curl -s -o /dev/null -w 'app_unaware_call=%{http_code} ' http://echo.istio-vt-t75.svc.homelab.local/ === app_unaware_call=200 === RC: 0 === === CMD: kubectl -n istio-vt-t75 exec client-netdiag -c netdiag -- iptables -t nat -L ISTIO_OUTPUT -n | head -20 === # Warning: iptables-legacy tables present, use iptables-legacy to see them Chain ISTIO_OUTPUT (1 references) target prot opt source destination RETURN all -- 127.0.0.6 0.0.0.0/0 ISTIO_IN_REDIRECT tcp -- 0.0.0.0/0 !127.0.0.1 tcp dpt:!15008 owner UID match 1337 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 1337 RETURN all -- 0.0.0.0/0 0.0.0.0/0 owner UID match 1337 ISTIO_IN_REDIRECT tcp -- 0.0.0.0/0 !127.0.0.1 tcp dpt:!15008 owner GID match 1337 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ! owner GID match 1337 RETURN all -- 0.0.0.0/0 0.0.0.0/0 owner GID match 1337 RETURN all -- 0.0.0.0/0 127.0.0.1 ISTIO_REDIRECT all -- 0.0.0.0/0 0.0.0.0/0 === RC: 0 === === CMD: kubectl -n istio-vt-t75 exec client-netdiag -c netdiag -- iptables -t nat -L -n | grep -i 'REDIRECT\|15001\|15006\|owner' === ISTIO_IN_REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 Chain ISTIO_IN_REDIRECT (3 references) REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 redir ports 15006 ISTIO_IN_REDIRECT tcp -- 0.0.0.0/0 !127.0.0.1 tcp dpt:!15008 owner UID match 1337 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 1337 RETURN all -- 0.0.0.0/0 0.0.0.0/0 owner UID match 1337 ISTIO_IN_REDIRECT tcp -- 0.0.0.0/0 !127.0.0.1 tcp dpt:!15008 owner GID match 1337 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ! owner GID match 1337 RETURN all -- 0.0.0.0/0 0.0.0.0/0 owner GID match 1337 ISTIO_REDIRECT all -- 0.0.0.0/0 0.0.0.0/0 Chain ISTIO_REDIRECT (1 references) REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 redir ports 15001 # Warning: iptables-legacy tables present, use iptables-legacy to see them === RC: 0 === === CMD: kubectl -n istio-vt-t75 exec client-netdiag -c istio-proxy -- id === uid=1337(istio-proxy) gid=1337(istio-proxy) groups=1337(istio-proxy) === RC: 0 === === CMD: istioctl proxy-config listener client-netdiag.istio-vt-t75 -o json | jq -r '.[].name' | grep -E '15001|15006' === === RC: 1 === === NOTE: cmd7 grep matched 0 lines (rc=1) because in this Istio version listener names are "virtualOutbound"/"virtualInbound" rather than the older "0.0.0.0_15001"/"0.0.0.0_15006" literal naming. Confirmed via follow-up query that both listeners exist bound to the expected ports. === === CMD (diagnostic follow-up): istioctl proxy-config listener client-netdiag.istio-vt-t75 -o json | jq -r '.[] | select(.name=="virtualOutbound" or .name=="virtualInbound") | {name, address: .address.socketAddress}' === { "name": "virtualOutbound", "address": { "address": "0.0.0.0", "portValue": 15001 } } { "name": "virtualInbound", "address": { "address": "0.0.0.0", "portValue": 15006 } } === RC: 0 ===