},
				},
				{
					// There is only authN policy that enables mTLS (Permissive).
					// The request should be allowed because the client is always using plain text.
					name: "PERMISSIVE",
					config: `apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mtls
spec:
  mtls:
    mode: PERMISSIVE`,
					expected: []expect{
						{

			calls:  calls,
		})
	})

	t.Run("Permissive", func(t *testing.T) {
		calls := []simulation.Expect{}
		for _, c := range cases {
			calls = append(calls, simulation.Expect{
				Name:   c.Name,
				Call:   c.Call,
				Result: c.Permissive,
			})
		}
		runSimulationTest(t, nil, xds.FakeOptions{}, simulationTest{
			config: svc + mtlsMode("PERMISSIVE"),
			calls:  calls,
		})
	})

   mode: DISABLE
---`
	paPermissive := `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
 name: default
spec:
 selector:
   matchLabels:
     app: foo
 mtls:
   mode: PERMISSIVE
---`
	paStrictWithDisableOnPort9000 := `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
 name: default
spec:
 selector:
   matchLabels:
     app: foo
 mtls:

	MTLSUnknown MutualTLSMode = iota

	// MTLSDisable if authentication policy disable mTLS.
	MTLSDisable

	// MTLSPermissive if authentication policy enable mTLS in permissive mode.
	MTLSPermissive

	// MTLSStrict if authentication policy enable mTLS in strict mode.
	MTLSStrict
)

// In Ambient, we convert k8s PeerAuthentication resources to the same type as AuthorizationPolicies

		// replacement for permissive.
		mode = model.MTLSDisable
	}

	var out []*listener.FilterChain
	switch mode {
	case model.MTLSDisable:
		out = append(out, buildInboundFilterChain(node, push, "plaintext", nil))
	case model.MTLSStrict:
		out = append(out, buildInboundFilterChain(node, push, "mtls", tlsContext))

						Name:      workloadCfg.Name,
						Kind:      kind.PeerAuthentication,
						Namespace: workloadCfg.Namespace,
					})
				}
			} else {
				// Permissive mesh or namespace policy
				isEffectiveStrictPolicy = false // any ports that aren't specified will be PERMISSIVE so this workload isn't effectively under a STRICT policy
				foundStrict := false
				for _, portMtls := range workloadSpec.PortLevelMtls {

					expectCrossCluster: notFromNaked,
					expectCrossNetwork: notNaked,
					expectSuccess:      notNaked,
					minIstioVersion:    integIstioVersion,
				},
				{
					name: "global mtls permissive",
					configs: config.Sources{
						config.File("testdata/reachability/global-peer-authn.yaml.tmpl"),
						config.File("testdata/reachability/global-dr.yaml.tmpl"),
					}.WithParams(param.Params{

		http   map[int]bool
		tls    map[int]bool
	}{
		{
			name:   "permissive",
			config: "",
			http: map[int]bool{
				// Should not see HTTP inspector if we declare ports
				80: true,
				82: true,
				// But should see for passthrough or unnamed ports
				81:   false,
				1000: false,
			},
			tls: map[int]bool{
				// Permissive mode: inspector is set everywhere
				80:   false,
				82:   false,

			t.NewSubTest("permissive").Run(func(t framework.TestContext) {
				t.ConfigIstio().Eval(apps.Namespace.Name(), map[string]string{
					"Destination": dst.Config().Service,
					"Source":      src.Config().Service,
					"Namespace":   apps.Namespace.Name(),
				}, `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: global-permissive
spec:
  mtls:
    mode: PERMISSIVE

			},
		}
	})
	// There should be an event since effective policy moves to PERMISSIVE
	s.assertEvent(t, s.podXdsName("pod1"), s.podXdsName("pod2"), xdsConvertedPeerAuthSelector)
	assert.Equal(t,
		s.lookup(s.addrXdsName("127.0.0.1"))[0].Address.GetWorkload().AuthorizationPolicies,
		nil)

	// Change namespace policy to be PERMISSIVE
	s.addPolicy(t, "namespace", testNS, nil, gvk.PeerAuthentication, func(c controllers.Object) {