DestinationRule mTLS is not applied correctly when client & service are in the same namespace


I’ve applied Istio 1.1.7 with MeshPolicy in PERMISSIVE mode.

I’m trying to configure a DestinationRule for serviceA in namespaceA to only applied on clients on namespaceA.

I have another client on namespaceB that connects to serviceA, I’ve expected that this traffic will be clear, but unfortunately it’s encrypted.

Am I doing something wrong? Is it by design?

apiVersion: “
kind: “DestinationRule”
name: “mtls-only-in-namespaceA”
namespace: namespaceA
host: serviceA.namespaceA.svc.cluster.local

BTW - When applied the same rule on namespaceB, ONLY traffic from clientB to serviceA was encrypted.

A DestinationRule is exported to all namespaces unless you set the exportTo field to .

Thanks @frankbu for your answer, it worked.
But not I failed to understand why when I applied to same rule (w/o exportTo field) on namespaceB, the rule was not exported to all namespaces, ONLY traffic from clientB to serviceA was encrypted.

@idan_frimark separate from exportTo, the destination rule lookup path is basically:

  1. client namespace
  2. service namespace
  3. istio-system

Hmm, I guess this isn’t documented anywhere except in the code:

OK, now I understand. Thank you!