I’m in a tailspin.
I have a python project that opens a socket and prints what comes through.
I stood up a dockerfile for that project, built an image, loaded that image into minikube.
I have installed istio for minikube along with ksniff.
I created yaml deployments of my docker image to the default namespace.
I enabled auto-injection of istio sidecars using labelling. I labelled the default namespace such that it will get proxies.
I have set my cluster to use auto-mTLS and checked to see “ISTIO_MUTUAL” and “PERMISSIVE” when I do a "istioctl authn tls-check ".
I added annotations to my deployment yamls to allow rewriteAppHTTPProbers.
I have deployed two pods in my cluster (same image) and verified that they have istio proxies attached.
I can look at the logs of one which is running my python code as the entry point, and exec a netcat command in the other to send some data across and verify that it arrives.
Everything is good up to this point.
When I use ksniff to watch traffic related to my pod with the open socket, I see my tcp packet come across the wire, but it is not encrypted. I can see the plantext right in wireshark. This is bad.
I’ve exhausted checking everything that I know about so im just left wondering what it is that I maybe don’t understand.
Happy to provide more info if I’m told what’s relevant.
Thanks in advance