Bug Description

For a simple configuration:

• Some pod with configured readiness probe
• Aforementioned pod is load-balanced by a ClusterIP service
• Istio installed

I expect that when a load-balanced pod is not ready, it should not be reachable via the load-balancing service.

With Istio 1.14.1, if I configure:

• Some pod(s) with ready status FALSE
• ClusterIP service (load-balancer)
• A pair of pods from which to issue curl requests, one with an envoy sidecar and one without

Then:

• The pod with an envoy sidecar can successfully e.g. curl an unready endpoint via the load balancer.
• The pod without any envoy sidecar cannot.

For earlier Istio versions - specifically 1.13.2 for instance - I observe:

• The pod with an envoy sidecar cannot successfully e.g. curl an endpoint, returning status no healthy upstream
• The pod without any envoy sidecar cannot reach any loadbalanced pod.

The behaviour exhibited by version 1.13.2 is the behaviour I expect.

Please clarify, many thanks.

Version

client version: 1.14.1
control plane version: 1.14.1
data plane version: 1.13.2 (2 proxies), 1.14.1 (2 proxies)

Client Version: v1.24.2
Kustomize Version: v4.5.4
Server Version: v1.23.8+k3s1

v3.9.0+g7ceeda6

Additional Information

No response