Trouble sniffing plain text traffic to a pod


I was trying to verify mTLS enabled/enforced in a namespace. I installed Istio with
I used the httpbin and sleep sample apps and deployed them across “foo”, “bar” and “legacy” namespaces. Istio sidecar proxy are not injected in legacy namespace.
I then enforced mTLS in “foo” namespace using the following

kubectl apply -n foo -f - <<EOF
apiVersion: ""
kind: "PeerAuthentication"
  name: "default"
    mode: STRICT

Everything works fine. Traffic from and to is allowed. Traffic from sleep.legacy to is denied.

I decided to sniff the traffic going to using the following:

kubectl exec -nbar "$(kubectl get pod -nbar -lapp=httpbin -ojsonpath={})" -c istio-proxy -- sudo tcpdump dst port 80 -A

Note that mTLS strict is NOT set in “bar” namespace. I generated traffic from and sleep.legacy to There are no errors and can see the web page contents fine in both cases.

However noticed the following:

  1. tcpdump will show/log traffic from either or to However it is not consistent and will not always show. Most of the times it will though.
  2. traffic from sleep.legacy to is not captured/shown. Of the many times I attempted this it managed to capture it only once and it appeared to be encrypted (definitely not plain text).

I am testing this with minikube. Is this expected? Am particularly curious about traffic from sleep.legacy to not getting sniffed.

What gives? thx

Is my following understanding of mTLS, TLS and plain text rules correct in context of httpbin and sleep apps deployed across foo, bar and legacy namespaces. As indicated above, legacy namespace do not have istio sidecar proxies.

  1. Traffic between foo and bar in either direction will use mTLS.
  2. Traffic from apps in legacy namespace to either foo or bar namespaces will use TLS.
  3. Traffic to apps in legacy namespace will be sent as plain text.

Can someone confirm? thx