CRE-2025-0108

Ambient mode readiness probe failuresHigh

CRE-2025-0108View on GitHub

IstioAmbientCNI

Description

In Ambient mode, Istio applies a SNAT rule so that kubelet probe traffic\nappears from 169.254.7.127 and is bypassed by the data-plane. If you see\n**Readiness probe failed** events begin only after enabling Ambient, it\nalmost always means that SNAT/bypass isn't working in your CNI or\nnetworking environment.\n

Mitigation

IMMEDIATE:\n- Inspect host iptables: `iptables -t nat -L ISTIO_REDIRECT` shows the SNAT rule.\n- On each node, confirm kubelet source SNAT: `iptables -t nat -L OUTPUT`.\n- Check your CNI docs for ambient prerequisites (Cilium/Calico, AWS SGs).\nRECOVERY:\n- Adjust your CNI so it does not masquerade kubelet source IP.\n- Remove conflicting NetworkPolicy blocking port 15021/8080 on probes.\n

References

• https://github.com/istio/istio/wiki/Troubleshooting-Istio-Ambient#scenario-readiness-probes-fail-with-ztunnel