Repairing Citadel

If you suspect Citadel isn’t working properly, verify the status of the istio-citadel pod:

$ kubectl get pod -l istio=citadel -n istio-system
NAME                                     READY     STATUS   RESTARTS   AGE
istio-citadel-ff5696f6f-ht4gq            1/1       Running  0          25d

If the istio-citadel pod doesn’t exist, try to re-deploy the pod.

If the istio-citadel pod is present but its status is not Running, run the commands below to get more debugging information and check if there are any errors:

$ kubectl logs -l istio=citadel -n istio-system
$ kubectl describe pod -l istio=citadel -n istio-system

See also

Describe Istio's authorization feature and how to use it in various use cases.

Shows how to set up role-based access control for services in the mesh.

Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.

Describes how to use component-level logging to get insights into a running component's behavior.

Shows you how to verify and test Istio's automatic mutual TLS authentication.

Shows how operators can configure Citadel with existing root certificate, signing certificate and key.