Sidecar allow_any

maybe a general question but I have contradicting results:

I have an istio sidecar file with egress hosts (internal services and external hosts which are declared within ServiceEntry)

and an OutboundTrafficPolicy: ALLOW_ANY

when I try to check connections of a workload which is selected by the sidecar,

using kubectl exec I can connect to every thing , even to services which are not in the hosts list
but using istioctl proxy-config clusters I see only the services in the list

what is the correct behavior?
does allow_any means to ignore the hosts list ?
or does it valuable only when hosts is */* to allow any service indeed?