Category: Istio Ambient Troubleshooting
Problems related to troubleshooting Istio's Ambient service mesh mode, including CNI sandbox creation failures, ztunnel connectivity issues, traffic capture errors, and waypoint configuration problems.
| ID | Title | Description | Category | Technology | Tags |
|---|---|---|---|---|---|
| CRE-2025-0106 High Impact: 0/10 Mitigation: 0/10 | Ambient CNI Sandbox Creation Failure | Detects when the Istio CNI plugin fails to set up a pod's network sandbox in Ambient mode. Two common root causes are: 1. **No ztunnel connection** (CNI cannot contact the node-level ztunnel agent). | Istio Ambient Troubleshooting | ambient | IstioCNIAmbient |
| CRE-2025-0108 High Impact: 0/10 Mitigation: 0/10 | Ambient mode readiness probe failures | In Ambient mode, Istio applies a SNAT rule so that kubelet probe traffic appears from 169.254.7.127 and is bypassed by the data-plane. If you see **Readiness probe failed** events begin only after enabling Ambient, it almost always means that SNAT/bypass isn't working in your CNI or networking environment. | Istio Ambient Troubleshooting | ambient | IstioAmbientCNI |
| CRE-2025-0109 Medium Impact: 0/10 Mitigation: 0/10 | Ambient HTTP status codes by Ztunnel | When Ambient mode is enabled, Ztunnel tunnels HTTP over HBONE (HTTP CONNECT) and although it's a TCP proxy, it still tags its \"connection complete\" log lines with the HTTP status code from the upstream response (e.g. 503, 401). This CRE verifies that non-2xx responses are correctly surfaced. | Istio Ambient Troubleshooting | ambient | IstioAmbientZtunnel |
| CRE-2025-0110 High Impact: 0/10 Mitigation: 0/10 | Ztunnel Traffic timeouts in Istio Ambient Mode | Detects when Istio Ambient-mode HBONE (mTLS) traffic is blocked or dropped— resulting in Ztunnel logging timeouts such as `io error: deadline has elapsed` or `connection timed out, maybe a NetworkPolicy is blocking HBONE port 15008`. | Istio Ambient Troubleshooting | ambient | IstioAmbientZtunnel |
| CRE-2025-0111 Medium Impact: 0/10 Mitigation: 0/10 | Ztunnel IPv6 Bind Failure | Detects when Ztunnel's DNS proxy or control-plane component attempts to bind to the IPv6 loopback address `[::1]:15053` on a node where IPv6 is disabled, resulting in an `Address family not supported` error. | Istio Ambient Troubleshooting | ambient | IstioAmbientZtunnelNetwork |