PREQUEL-2025-0025

Istio CNI Ztunnel Connection FailureLow

Impact: 3/10

Mitigation: 6/10

PREQUEL-2025-0025View on GitHub

Istio

Description

The CNI plugin is not connected to Ztunnel. For pods in the mesh, Istio will run a CNI plugin during the pod 'sandbox' creation. This configures the networking rules. This may intermittently fail, in which case Kubernetes will automatically retry.

Mitigation

Ensure Ztunnel is running on the same node and is healthy

References

• https://github.com/istio/istio/wiki/Troubleshooting-Istio-Ambient#scenario-pod-fails-to-run-with-failed-to-create-pod-sandbox