TCP mTLS encryption

I’m in a tailspin.

I have a python project that opens a socket and prints what comes through.
I stood up a dockerfile for that project, built an image, loaded that image into minikube.

I have installed istio for minikube along with ksniff.
I created yaml deployments of my docker image to the default namespace.

I enabled auto-injection of istio sidecars using labelling. I labelled the default namespace such that it will get proxies.
I have set my cluster to use auto-mTLS and checked to see “ISTIO_MUTUAL” and “PERMISSIVE” when I do a "istioctl authn tls-check ".

I added annotations to my deployment yamls to allow rewriteAppHTTPProbers.

I have deployed two pods in my cluster (same image) and verified that they have istio proxies attached.
I can look at the logs of one which is running my python code as the entry point, and exec a netcat command in the other to send some data across and verify that it arrives.

Everything is good up to this point.

When I use ksniff to watch traffic related to my pod with the open socket, I see my tcp packet come across the wire, but it is not encrypted. I can see the plantext right in wireshark. This is bad.

I’ve exhausted checking everything that I know about so im just left wondering what it is that I maybe don’t understand.

Any ideas?

Happy to provide more info if I’m told what’s relevant.

Thanks in advance

Could you share your meshpolicy along with any namespace level policy and destination rules you have in place. Also the service yamls if possible.