The setup is as follows:

Namespace "foo" has a DestinationRule that forces mutual TLS (ISTIO_MUTUAL). There's an httpbin service deployed in "foo" namespace. Namespace "legacy" has a sleep container deployed without a sidecar. The destination rule above doesn't get applied to requests originated with the "sleep.legacy" container, as there is no sidecar attached to it, and http traffic from sleep.legacy to http.foo can pass.

When a "strict" mtls policy is created in "foo", plain http traffic from sleep.legacy to httpbin.foo will start to fail. If the policy is removed, http traffic should resume again, but in my case it did not. It took about 30 minutes to get istio in an inconsistent state. Re-adding and then removing the policy fixed the issue, no restarting of galley was needed.

To recreate the issue:

• Setup the environment as described in https://istio.io/docs/tasks/security/mtls-migration/#before-you-begin. Make sure to add anyuid and privileged scc's to "default" and "sleep" sa's.
• Launch "reproduce.sh" (attached). The script will stop once an inconsistent configuration has been detected.