I tried the mock exam provided by Mesh Week at the following link:
https://docs.google.com/forms/d/e/1FAIpQLSfD4BLLQfdUwnIyiTBSGC_OzmSbiyrIlNp5Am61fTOhRbfiLw/viewform

 Question: Securing WorkloadsYou want to configure a strict mTLS policy for all workloads in the default namespace with the label mtls: strict set. Additionally, you want to disable mTLS for port 9000 (on the same set of workloads). Create a resource that configures these settings.

takashi.kanazawa

Answer

$ kubectl api-resources | grep peer
peerauthentications               pa           security.istio.io/v1                   true         PeerAuthentication

$ vi default-peer-auth.yaml
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: default
spec:
  selector:
    matchLabels:
      mtls: strict
  mtls:
    mode: STRICT
  portLevelMtls:
    9000:
      mode: DISABLE

$ kubectl apply -f default-peer-auth.yaml
peerauthentication.security.istio.io/default created

takashi.kanazawa

Reference: https://istio.io/latest/docs/reference/config/security/peer_authentication/