Configure Citadel Service Account Secret Generation

    To complete this task, you should first take the following actions:

    • Read the security concept.

    • Follow the to install Istio with mutual TLS enabled.

    To create a new sample namespace foo, run:

    1. $ kubectl get secrets -n foo | grep istio.io
    2. NAME                    TYPE                           DATA      AGE

    To label the namespace to prevent Citadel from creating ServiceAccount secrets in target namespace foo, run:

    1. $ kubectl label ns foo ca.istio.io/override=false

    To create a new ServiceAccount in this namespace, run:

    To check the namespace’s secrets again, run:

    1. $ kubectl get secrets -n foo | grep istio.io
    2. NAME                    TYPE                           DATA      AGE

    You can observe that no new istio.io/key-and-cert secret was generated for the sample-service-account service account.

    Opt-in service account secret generation

    1. ...
    2. security:
    3.     enableNamespacesByDefault: false
    4. ...

    Once this mesh configuration is applied, to create a namespace foo and check the secrets present in that namespace, run:

    You can observe that no secrets have been created. To override this value for the foo namespace, add a ca.istio.io/override=true label in that namespace:

      To create a new service account in the foo namespace, run:

      1. $ kubectl apply -f - <<EOF
      2. apiVersion: v1
      3. kind: ServiceAccount
      4. metadata:
      5.   name: sample-service-account
      6.   namespace: foo
      7. EOF

      To check the secrets in the foo namespace again, run:

      Cleanup

      To delete the test namespace and all its resources, run:

      1. $ kubectl delete ns foo