CRE-2025-0110
Ztunnel Traffic timeouts in Istio Ambient ModeHighImpact: 8/10Mitigation: 7/10
CRE-2025-0110View on GitHub
Description
Detects when Istio Ambient-mode HBONE (mTLS) traffic is blocked or dropped—\nresulting in Ztunnel logging timeouts such as `io error: deadline has elapsed`\nor `connection timed out, maybe a NetworkPolicy is blocking HBONE port 15008`.\n
Mitigation
**IMMEDIATE:**\n- Inspect/allow egress on port 15008 in NetworkPolicies or firewalls\n- Verify host iptables aren't dropping HBONE traffic\n- From a ztunnel pod: \n `kubectl exec -n istio-system ‹ztunnel-pod› -- nc -vz ‹pod-ip› 15008`\n\n**LONG-TERM:**\n- Enforce HBONE port rules in CI/CD\n- Monitor ztunnel logs for frequent timeouts & alert\n