Your security team changed the Istio PeerAuthentication policy from PERMISSIVE to STRICT across all namespaces to enforce mTLS. Within minutes, your legacy batch job service (which doesn't have Envoy sidecar injection enabled — it has sidecar.istio.io/inject: "false") started failing all outbound HTTP calls to other microservices with: TLS handshake error from remote address. The batch job is stuck.

What is your first action?