as The DOKS use a Cilium as the default CNI, currently the cluster does not work with Istio ambient mode due to the Bpf masquerade is enabled by default in the cilium configmap, which prevents kubelet from doing the health check to pods. When the bpf masquerade is disabled(manually change the configmap), all are working as expected.

In the offical Istio document, they also said that when the cluster uses Cilium as the CNI, the bpf masquerade need to be disabled, view more details here https://istio.io/latest/docs/ambient/install/platform-prerequisites/#cilium