maybe a general question but I have contradicting results:
I have an istio sidecar file with egress hosts (internal services and external hosts which are declared within ServiceEntry)
and an OutboundTrafficPolicy: ALLOW_ANY
when I try to check connections of a workload which is selected by the sidecar,
using kubectl exec I can connect to every thing , even to services which are not in the hosts list
but using istioctl proxy-config clusters I see only the services in the list
what is the correct behavior?
does allow_any means to ignore the hosts list ?
or does it valuable only when hosts is */* to allow any service indeed?