CRE-2025-0106

Ambient CNI Sandbox Creation FailureHigh

CRE-2025-0106View on GitHub

IstioCNIAmbient

Description

Detects when the Istio CNI plugin fails to set up a pod's network sandbox\nin Ambient mode. Two common root causes are:\n\n1. **No ztunnel connection** (CNI cannot contact the node-level ztunnel agent). \n

Mitigation

IMMEDIATE:\n- Verify ztunnel DaemonSet health: `kubectl -n istio-system get pods -l app=ztunnel`\n- Inspect ztunnel logs for connectivity errors: \n `kubectl -n istio-system logs <ztunnel-pod>`\n\nRECOVERY:\n- Patch ztunnel to run on all nodes:\n `kubectl -n istio-system patch daemonset ztunnel --patch '{\"spec\":{\"template\":{\"spec\":{\"nodeSelector\":{}}}}}'`\n- Delete and recreate the affected pods\n\nPREVENTION:\n- Monitor Istio CNI and ztunnel agent metrics\n- Alert on repeated CNI plugin failures in control-plane logs\n

References

• https://github.com/istio/istio/wiki/Troubleshooting-Istio-Ambient#scenario-pod-fails-to-run-with-failed-to-create-pod-sandbox