CRE-2025-0110
Ztunnel Traffic timeouts in Istio Ambient ModeHigh
CRE-2025-0110View on GitHub
Description
Detects when Istio Ambient-mode HBONE (mTLS) traffic is blocked or dropped—\nresulting in Ztunnel logging timeouts such as `io error: deadline has elapsed`\nor `connection timed out, maybe a NetworkPolicy is blocking HBONE port 15008`.\n
Mitigation
**IMMEDIATE:**\n- Inspect/allow egress on port 15008 in NetworkPolicies or firewalls\n- Verify host iptables aren't dropping HBONE traffic\n- From a ztunnel pod: \n `kubectl exec -n istio-system <ztunnel-pod> -- nc -vz <pod-ip> 15008`\n\n**LONG-TERM:**\n- Enforce HBONE port rules in CI/CD\n- Monitor ztunnel logs for frequent timeouts & alert\n