Istio blocks non-mTLS call in permisive mode cross-namespace

Hello all,

I’m attempting to have SVCA (non-istio) in namespace A speak to SVCB (istio + mTLS) in namespace B. I’ve created a mesh policy in PERMISSIVE mode as specified in the global TLS documents

Here is our meshPolicy:

kind: MeshPolicy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"authentication.istio.io/v1alpha1","kind":"MeshPolicy","metadata":{"annotations":{},"labels":{"app":"security","chart":"security","heritage":"Tiller","release":"istio"},"name":"default","namespace":""},"spec":{"peers":[{"mtls":{"mode":"PERMISSIVE"}}]}}
  creationTimestamp: "2019-07-18T18:29:35Z"
  generation: 1
  labels:
    app: security
    chart: security
    heritage: Tiller
    release: istio
  name: default
  resourceVersion: "5245"
  selfLink: /apis/authentication.istio.io/v1alpha1/meshpolicies/default
  uid: fe79a8f8-a989-11e9-9fb1-4201ac100006
spec:
  peers:
  - mtls:
      mode: PERMISSIVE

I can confirm that there are no destination rules besides the istio defaults

$ k get destinationRules --all-namespaces
NAMESPACE      NAME              HOST                                             AGE
istio-system   istio-policy      istio-policy.istio-system.svc.cluster.local      1h
istio-system   istio-telemetry   istio-telemetry.istio-system.svc.cluster.local   1h

When I have istio turned off I am able to communicate fine between these services. What steps would I need to take to allow this cross-namespace communcation?