Default Access Denied issue

I have deployed the nexus 3 repository manager and I can access the pod its IP to get to the default webpage or use curl on port 8081.
The namespace is enabled with Istio injection and sidecars are deployed.
No roles or rolebindings have been created.
As soon as I create say a clusterip service pointing to the app: nexus, I get an immediate “access denied” with curl on the pod its IP and on the clusterIP, so my application is no longer reachable. I have no idea why. If I don’t create any service definition the application runs without a hitch. Any tips on where to look are appreciated.
Why does creating a service like this suddenly render my app no longer reachable?
If I deploy my app and service in another namespace with istio injection not enabled it works and I don’t get any access denieds. What in istio is blocking my app by default when creating a service?

apiVersion: v1
kind: Service
name: nexus-web
app: nexus
- port: 80
name: http-web
protocol: TCP
targetPort: 8081
app: nexus
type: ClusterIP

on ClusterIP
Access denied

on pod IP
Access denied