Skip to main content

Tag: Istio

Problems related to the Istio service mesh

IDTitleDescriptionCategoryTechnologyTags
prequel-2025-0002
Medium
Impact: 7/10
Mitigation: 3/10
Envoy metrics scraping failure with unexpected EOFPrometheus is failing to scrape and write Envoy metrics from Istio sidecars due to an unexpected EOF error. This occurs when trying to collect metrics from services that don't have proper protocol selection configured in their Kubernetes Service definitionService Mesh MonitoringprometheusPrometheusIstioEnvoyMetricsService MeshKubernetes
prequel-2025-0005
High
Impact: 3/10
Mitigation: 3/10
Kiali Unable to Fetch Istio TracesKiali is unable to fetch Istio traces due to a configuration error.Service Mesh ProblemskialiIstioTracingKiali
prequel-2025-0024
High
Impact: 6/10
Mitigation: 7/10
Istio Traffic TimeoutConnections routed through **ztunnel** stop after the default 10s deadline. Ztunnel logs show `error access connection complete ... error=\"io error: deadline has elapsed\"` or `error=\"connection timed out, maybe a NetworkPolicy is blocking HBONE port 15008\"` while clients see 504 Gateway Timeout or connection-reset errors. The issue is limited to workloads enrolled in Ambient mode; sidecar-injected or “no-mesh” pods continue to work.Istio ProblemsistioIstioTimeout
prequel-2025-0025
Low
Impact: 3/10
Mitigation: 6/10
Istio CNI Ztunnel Connection FailureThe CNI plugin is not connected to Ztunnel. For pods in the mesh, Istio will run a CNI plugin during the pod 'sandbox' creation. This configures the networking rules. This may intermittently fail, in which case Kubernetes will automatically retry.Istio ProblemsistioIstio
prequel-2025-0026
Low
Impact: 3/10
Mitigation: 6/10
Istio XDS GRPC FailureEnvoy sidecars or Ambient **ztunnel** keep retrying the control-plane stream and log ``` XDS client connection error: gRPC connection error:status: Unknown, message: \"...\", source: tcp connect error: Connection refused (os error 111) ``` or ``` ... source: tcp connect error: deadline has elapsed ``` The proxies never reach “ADS stream established”, so no configuration, certificates, or policy updates are delivered until this is mitigated.Istio ProblemsistioIstioXDS