istio: Egress Gateways - Apply Kubernetes network policies failure

Bug description

The scenario described in Apply Kubernetes network policies cannot be successfully followed.

Step 9:

$ kubectl exec -it $(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name}) -n test-egress -c sleep -- curl -v https://edition.cnn.com/politics
* Could not resolve host: edition.cnn.com
* Closing connection 0
curl: (6) Could not resolve host: edition.cnn.com
command terminated with exit code 6

shows a different error message. Probably not relevant, since hostname can’t be resolved as well.

Step 13 (curling cnn via egress) fails:

$ kubectl exec -it $(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name}) -n test-egress -c sleep -- curl -s -o /dev/null -w "%{http_code}\n" https://edition.cnn.com/politics
000
command terminated with exit code 6

Envoy’s readiness probe fails:

$ kubectl get pods -n test-egress
NAME                     READY   STATUS    RESTARTS   AGE
sleep-5fb55468cb-68hg9   1/2     Running   0          14s

Envoy logs show the following:

[2019-06-12 08:30:45.574][16][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:86] gRPC config stream closed: 14, no healthy upstream
[2019-06-12 08:30:45.574][16][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:49] Unable to establish new stream
[2019-06-12 08:30:45.953][16][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:86] gRPC config stream closed: 14, no healthy upstream
[2019-06-12 08:30:45.953][16][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:49] Unable to establish new stream
2019-06-12T08:30:46.270973Z     info    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2019-06-12T08:30:48.271003Z     info    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
[2019-06-12 08:30:49.570][16][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:86] gRPC config stream closed: 14, no healthy upstream
[2019-06-12 08:30:49.570][16][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:49] Unable to establish new stream
2019-06-12T08:30:50.270592Z     info    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure [ ] Docs [ ] Installation [ ] Networking [ ] Performance and Scalability [X] Policies and Telemetry [ ] Security [ ] Test and Release [ ] User Experience

Expected behavior Curl should succeed.

Version (include the output of istioctl version --remote and kubectl version) Istio: 1.2.0-rc.0 Kubectl:

Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.3", GitCommit:"5e53fd6bc17c0dec8434817e69b04a25d8ae0ff0", GitTreeState:"clean", BuildDate:"2019-06-07T09:55:27Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.0", GitCommit:"641856db18352033a0d96dbc99153fa3b27298e5", GitTreeState:"clean", BuildDate:"2019-03-25T15:45:25Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}

How was Istio installed? Installed via [installation guide] (https://preliminary.istio.io/docs/setup/kubernetes/install/kubernetes/). Note: For the demo to have an effect, I set passthrough mode to REGISTRY_ONLY via:

kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: REGISTRY_ONLY/mode: ALLOW_ANY/g' | kubectl replace -n istio-system -f -

Environment where bug was observed (cloud vendor, OS, etc) GKE.