Security

Repairing Citadel

If you suspect Citadel isn't working properly, verify the status of the istio-citadel pod:

$ kubectl get pod -l istio=citadel -n istio-system
NAME                                     READY     STATUS   RESTARTS   AGE
istio-citadel-ff5696f6f-ht4gq            1/1       Running  0          25d

If the istio-citadel pod doesn't exist, try to re-deploy the pod.

If the istio-citadel pod is present but its status is not Running, run the commands below to get more debugging information and check if there are any errors:

$ kubectl logs -l istio=citadel -n istio-system
$ kubectl describe pod -l istio=citadel -n istio-system

See also

Micro-Segmentation with Istio Authorization

Describe Istio's authorization feature and how to use it in various use cases.

Authentication Policy

Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.

Authorization

Shows how to set up role-based access control for services in the mesh.

Citadel health checking

Shows how to enable Citadel health checking with Kubernetes.

Component Introspection

Describes how to use ControlZ to get insight into individual running components.

Component Logging

Describes how to use component-level logging to get insights into a running component's behavior.


Debugging Authorization

Keys and Certificates