CRE-2025-0104

Istio Ambient traffic fails with timed out waiting for workload from xdsMedium

CRE-2025-0104View on GitHub

IstioAmbientZtunnel

Description

Ztunnel must fetch pod workload info from Istiod over XDS before tunneling.\nIf it doesn't receive a response within ~5s, it rejects the connection with:\n`timed out waiting for workload … from xds`. Intermittent XDS delays may\nindicate Istiod overload or misconfiguration (e.g. PILOT_DEBOUNCE_AFTER).\n

Mitigation

IMMEDIATE:\n- Check Istiod pod resource usage: `kubectl -n istio-system top pods istiod-xxx`\n- Inspect ztunnel logs for repeated XDS timeouts.\n- Ensure port 15012 TCP is open between all nodes and istiod.\nRECOVERY:\n- Scale up Istiod deployment or increase resources.\n- Review meshConfig.PILOT_DEBOUNCE_* and revert experimental changes.\n

References

• https://github.com/istio/istio/wiki/Troubleshooting-Istio-Ambient#scenario-traffic-fails-with-timed-out-waiting-for-workload-from-xds