Gateway letting through other DNS names than it is restrained

Networking
1

Here’s my custom Gateway and VirtualService config:

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway

metadata:
  namespace: discourse
  name: discourse-gw

spec:

  selector:
    # use istio default controller
    istio: ingressgateway 
            
  servers:

  # The Port on which the proxy should listen for incoming connections.
  # In this case `ingressgateway` is listening on port 80 internally and
  # on the NodePort 31380 externally.
  - port:
      number: 80
      protocol: HTTP # one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS
      name: http-discourse
    # A list of hosts exposed by this gateway. At least one host is required.
    # Typically applicable to HTTP services, but it can also be used for TCP
    # services using TLS with SNI. May contain a wildcard prefix:
    # *.foo.com --> bar.foo.com AND *.com --> bar.foo.com, example.com, etc.
    hosts:
    - discuss.example.com
---


---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService

metadata:
  namespace: discourse
  name: discourse-virt-svc

spec:

  gateways:
  - discourse-gw

  hosts:
   - "*"

  http:

  - route:
    - destination:
        host: discourse.discourse.svc.cluster.local
        port:
          number: 3000
---

So my configured domain discuss.example.com works fine:

$ curl -so /dev/null -LD- http://discuss.example.com:31380
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
status: 200 OK
x-discourse-cached: true
cache-control: no-cache, no-store
referrer-policy: strict-origin-when-cross-origin
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
x-request-id: 501cb0db-e9ad-4393-9f9f-717a12294151
x-discourse-route: list/latest
x-discourse-trackview: 1
x-download-options: noopen
x-runtime: 0.001691
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
date: Sat, 16 Feb 2019 21:24:10 GMT
x-powered-by: Phusion Passenger 6.0.1
server: envoy
x-envoy-upstream-service-time: 3
transfer-encoding: chunked

But other, unconfigured domains work too…

$ curl -so /dev/null -LD- http://example.com:31380
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
status: 200 OK
cache-control: no-cache, no-store
referrer-policy: strict-origin-when-cross-origin
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
x-request-id: d598ab33-6e41-4f01-86d2-62d6b80cbf26
x-discourse-route: list/latest
x-discourse-trackview: 1
x-download-options: noopen
x-runtime: 0.046380
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
date: Sat, 16 Feb 2019 21:29:40 GMT
x-powered-by: Phusion Passenger 6.0.1
server: envoy
x-envoy-upstream-service-time: 47
transfer-encoding: chunked

Any idea why?

BTW, I’m using NodePort in the istio-ingressgateway:

---
apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  annotations:
  labels:
    chart: gateways-1.0.5
    release: istio
    heritage: Tiller
    app: istio-ingressgateway
    istio: ingressgateway
spec:
  type: NodePort
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  ports:
    -
      name: http2
      nodePort: 31380
      port: 80
      targetPort: 80
    -
      name: https
      nodePort: 31390
      port: 443
    -
      name: tcp
      nodePort: 31400
      port: 31400
    -
      name: tcp-pilot-grpc-tls
      port: 15011
      targetPort: 15011
    -
      name: tcp-citadel-grpc-tls
      port: 8060
      targetPort: 8060
    -
      name: tcp-dns-tls
      port: 853
      targetPort: 853
    -
      name: http2-prometheus
      port: 15030
      targetPort: 15030
    -
      name: http2-grafana
      port: 15031
      targetPort: 15031
---