I run a Rails Application with Kubernetes, EKS, and Istio behind Cloudfront. I got it running the following way:

1. Create a new Cloudfront Origin Request Policy that ONLY accepts the following headers: Sec-WebSocket-Key Sec-WebSocket-Version Sec-WebSocket-Protocol Sec-WebSocket-Accept. Allowing all headers doesn't work.

2. Attach this new origin request policy to a new behavior for the /cable URL. Use Managed-CachingDisabled cache policy or similar (no cache).

After that, the connection through Cloufront works.