Allow request from pod to pod without service

Hello,
I’m using an application that makes some requests to other components after a discovery.
Here is the flow :

  1. Component 2 say hello to component 1 with a get request.
  2. Component 1 pull some datas to component 2 with a post request frequently.

All components are un a specific pod in the same namespace. They have both an istio-proxy.
The first request is working fine because component2 uses the component 1 services.

But the second request doesn’t work and logs shows a response with status 503. The component 1 uses the ip of the pod with a specific port : https://10.73.32.106:8085
The component 1 needs to connect directly to the component 2 to pull data of each specific replica.
Component 2 has a service but only another port is declared (8075).
No service exists with the port 8085 for component 2.
Port 8085 is declared in containerport of the component 2 pod.

Here is the istio-proxy log of component 1:

[2022-03-16T16:10:58.765Z] "- - -" 0 UH - - "-" 0 0 1 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.73.32.254:8085 10.73.31.77:50740 - -
[2022-03-16T16:10:58.953Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.73.32.254:8085 10.73.31.77:50744 - -
[2022-03-16T16:10:58.956Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.73.30.14:8085 10.73.31.77:37260 - -
[2022-03-16T16:10:58.960Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.73.30.103:8085 10.73.31.77:47894 - -

No logs with port 8085 on istio-proxy of the component 2.

I checked Destination Rules and Service Entries but it doesn’t solve my issue.

What solution can I use to allow connection or to create an exception ?

So I have this issue when I use the following parameter during istio installation meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY.

UH means No healthy upstream hosts according the Envoy documentation.

I tried to configure an authorization policy with the following rule but without any success :

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: admin-tcp-policy
  namespace: internal
spec:
  selector:
    matchLabels:
      app.kubernetes.io/component: component2
  action: ALLOW
  rules:
  - to:
    - operation:
       ports: ["8085"]

My questions :

  • How configure the istio-proxy to accept https flow by using pod IP ?
  • How can I define an exception to the REGISTRY_ONLY only on several pod and ports ?