Kind:      kind.PeerAuthentication,
			Name:      selectorPolicyName,
			Namespace: "ns1",
		}))})

	// Add global selector policy; nothing should happen since PeerAuthentication doesn't support global mesh wide selectors
	s.addPolicy(t, "global-selector", systemNS, map[string]string{"app": "a"}, gvk.PeerAuthentication, func(c controllers.Object) {

# Global PeerAuthentication can be removed for this test, once we remove the (alpha) mesh policy
# during installation.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: "default"
  annotations:
    test-suite: "beta-mtls-permissive"
spec:
  mtls:
    mode: PERMISSIVE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: "default"
  annotations:

// [static STRICT policy, port-level STRICT policy] based on the effective PeerAuthentication policy
func convertedSelectorPeerAuthentications(rootNamespace string, configs []*securityclient.PeerAuthentication) []string {
	var meshCfg, namespaceCfg, workloadCfg *securityclient.PeerAuthentication
	for _, cfg := range configs {
		spec := &cfg.Spec
		if spec.Selector == nil || len(spec.Selector.MatchLabels) == 0 {

		return "MeshNetworks"
	case MutatingWebhookConfiguration:
		return "MutatingWebhookConfiguration"
	case Namespace:
		return "Namespace"
	case Node:
		return "Node"
	case PeerAuthentication:
		return "PeerAuthentication"
	case Pod:
		return "Pod"
	case ProxyConfig:
		return "ProxyConfig"
	case ReferenceGrant:
		return "ReferenceGrant"
	case RequestAuthentication:
		return "RequestAuthentication"

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: "a-disable"
  annotations:
    test-suite: "beta-mtls-automtls-workload"
spec:
  selector:
    matchLabels:
      app: a
  mtls:
    mode: DISABLE
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: "b-strict"
  annotations:
    test-suite: "beta-mtls-automtls-workload"
spec:
  selector:
    matchLabels:

	case *k8sioapicorev1.Namespace:
		return gvk.Namespace, true
	case *k8sioapicorev1.Node:
		return gvk.Node, true
	case *istioioapisecurityv1beta1.PeerAuthentication:
		return gvk.PeerAuthentication, true
	case *apiistioioapisecurityv1beta1.PeerAuthentication:
		return gvk.PeerAuthentication, true
	case *k8sioapicorev1.Pod:
		return gvk.Pod, true
	case *istioioapinetworkingv1beta1.ProxyConfig:
		return gvk.ProxyConfig, true

func fetchPeerAuthentications(
	ctx krt.HandlerContext,
	PeerAuths krt.Collection[*securityclient.PeerAuthentication],
	meshCfg *MeshConfig,
	ns string,
	matchLabels map[string]string,
) []*securityclient.PeerAuthentication {
	return krt.Fetch(ctx, PeerAuths, krt.FilterGeneric(func(a any) bool {
		pol := a.(*securityclient.PeerAuthentication)
		if pol.Namespace == meshCfg.GetRootNamespace() && pol.Spec.Selector == nil {
			return true

	IsMtlsDisabled bool
	SubsetName     string
}{
	gvk.PeerAuthentication.String(): {
		"mtls-off-ineffective": {
			Config: config.Config{
				Meta: config.Meta{
					GroupVersionKind: gvk.PeerAuthentication,
					Name:             "mtls-partial",
					Namespace:        "istio-system",
				},
				Spec: &security.PeerAuthentication{
					Selector: &v1beta1.WorkloadSelector{

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: strict-mtls
spec:
  selector:
    matchLabels:
      app: a
  mtls:
    mode: STRICT
  portLevelMtls:
    8080: 

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: strict-and-disable-mtls
spec:
  selector:
    matchLabels:
      app: a
  mtls:
    mode: STRICT
  portLevelMtls:
    9090: