CRE-2025-0111
Ztunnel IPv6 Bind FailureMedium
Description
Detects when Ztunnel's DNS proxy or control-plane component attempts to bind\nto the IPv6 loopback address `[::1]:15053` on a node where IPv6 is disabled,\nresulting in an `Address family not supported` error.\n
Mitigation
IMMEDIATE:\n- Re-enable IPv6 on the node if IPv6 is required:\n ```bash\n sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0\n sudo sysctl -w net.ipv6.conf.default.disable_ipv6=0\n ```\n- Or disable IPv6 binding in Ztunnel by setting in your IstioOperator:\n ```yaml\n values:\n ztunnel:\n IPV6_ENABLED: false\n ```\n- Restart the Ztunnel DaemonSet:\n ```bash\n kubectl -n istio-system rollout restart daemonset ztunnel\n ```\nLONG-TERM:\n- Incorporate node-level IPv6 capability checks into your cluster provisioning\n- Validate the `IPV6_ENABLED` flag in your IstioOperator CI pipelines\n