I'm new to Istio and learning from the official website examples. The one I can't understand is globally enabling Istio mutual TLS.

I can run the example with the yaml code present on the web. After that, I changed the DestinationRule:

kubectl apply -f - <<EOF
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
  name: "default"
  namespace: "foo"
spec:
  host: "*.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
EOF

The only part I changed is replacing the namespace of the example from istio-system to foo. Then I switch to foo namespace, and I run the following test command：

$ for from in "foo" "bar"; do for to in "foo" "bar"; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done

and the result is below:

sleep.foo to httpbin.foo: 503
sleep.foo to httpbin.bar: 200
sleep.bar to httpbin.foo: 503
sleep.bar to httpbin.bar: 503

what I expect is:

sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 503
sleep.bar to httpbin.foo: 503
sleep.bar to httpbin.bar: 503

Followed the official example, I set a mesh-wide authentication policy that enables mutual TLS, and I then configured the client side mutual TLS on namespace foo, I think it should work on namespace foo, but it does not work.

Questions:

1. why the status of sleep.foo to httpbin.foo: 503 is 503 instead of 200?
2. why the status of sleep.foo to httpbin.bar: 200 is 200 instead of 503?

Is there anyone to explain this? thanks.