Istio blocks non-mTLS call in permisive mode cross-namespace

Hello all,

I’m attempting to have SVCA (non-istio) in namespace A speak to SVCB (istio + mTLS) in namespace B. I’ve created a mesh policy in PERMISSIVE mode as specified in the global TLS documents

Here is our meshPolicy:

kind: MeshPolicy
  annotations: |
  creationTimestamp: "2019-07-18T18:29:35Z"
  generation: 1
    app: security
    chart: security
    heritage: Tiller
    release: istio
  name: default
  resourceVersion: "5245"
  selfLink: /apis/
  uid: fe79a8f8-a989-11e9-9fb1-4201ac100006
  - mtls:
      mode: PERMISSIVE

I can confirm that there are no destination rules besides the istio defaults

$ k get destinationRules --all-namespaces
NAMESPACE      NAME              HOST                                             AGE
istio-system   istio-policy      istio-policy.istio-system.svc.cluster.local      1h
istio-system   istio-telemetry   istio-telemetry.istio-system.svc.cluster.local   1h

When I have istio turned off I am able to communicate fine between these services. What steps would I need to take to allow this cross-namespace communcation?