Category: Istio Problems
Problems related to Istio
| ID | Title | Description | Category | Technology | Tags |
|---|---|---|---|---|---|
| prequel-2025-0024 High Impact: 6/10 Mitigation: 7/10 | Istio Traffic Timeout | Connections routed through **ztunnel** stop after the default 10s deadline. Ztunnel logs show `error access connection complete ... error=\"io error: deadline has elapsed\"` or `error=\"connection timed out, maybe a NetworkPolicy is blocking HBONE port 15008\"` while clients see 504 Gateway Timeout or connection-reset errors. The issue is limited to workloads enrolled in Ambient mode; sidecar-injected or “no-mesh” pods continue to work. | Istio Problems | istio | IstioTimeout |
| prequel-2025-0025 Low Impact: 3/10 Mitigation: 6/10 | Istio CNI Ztunnel Connection Failure | The CNI plugin is not connected to Ztunnel. For pods in the mesh, Istio will run a CNI plugin during the pod 'sandbox' creation. This configures the networking rules. This may intermittently fail, in which case Kubernetes will automatically retry. | Istio Problems | istio | Istio |
| prequel-2025-0026 Low Impact: 3/10 Mitigation: 6/10 | Istio XDS GRPC Failure | Envoy sidecars or Ambient **ztunnel** keep retrying the control-plane stream and log ``` XDS client connection error: gRPC connection error:status: Unknown, message: \"...\", source: tcp connect error: Connection refused (os error 111) ``` or ``` ... source: tcp connect error: deadline has elapsed ``` The proxies never reach “ADS stream established”, so no configuration, certificates, or policy updates are delivered until this is mitigated. | Istio Problems | istio | IstioXDS |