我的书签
添加书签
移除书签Service Account Secret Creation
This document describes the behavior of Citadel, which is not enabled by default.
When a Citadel instance notices that a ServiceAccount is created in a namespace, it must decide whether it should generate an istio.io/key-and-cert secret for that ServiceAccount. In order to make that decision, Citadel considers three inputs (note: there can be multiple Citadel instances deployed in a single cluster, and the following targeting rules are applied to each instance):
ca.istio.io/envnamespace label: string valued label containing the namespace of the desired Citadel instanceca.istio.io/overridenamespace label: boolean valued label which overrides all other configurations and forces all Citadel instances either to target or ignore a namespaceenableNamespacesByDefaultsecurity configuration: default behavior if no labels are found on theServiceAccount’s namespace
From these three values, the decision process mirrors that of the Sidecar Injection Webhook. The detailed behavior is that:
If
ca.istio.io/overrideexists and istrue, generate key/cert secrets for workloads.Otherwise, if
ca.istio.io/overrideexists and isfalse, don’t generate key/cert secrets for workloads.Otherwise, if a
ca.istio.io/env: "ns-foo"label is defined in the service account’s namespace, the Citadel instance in namespacens-foowill be used for generating key/cert secrets for workloads in theServiceAccount’s namespace.Otherwise, set
enableNamespacesByDefaulttotrueduring installation. If it istrue, the default Citadel instance will be used for generating key/cert secrets for workloads in theServiceAccount’s namespace.Otherwise, no secrets are created for the
ServiceAccount’s namespace.
This logic is captured in the truth table below:
ca.istio.io/override value | ca.istio.io/env match | enableNamespacesByDefault configuration | Workload secret created |
|---|---|---|---|
true | yes | true | yes |
true | yes | false | yes |
true | no | true | yes |
true | no | false | yes |
true | unset | true | yes |
true | unset | false | yes |
false | yes | true | no |
false | yes | false | no |
false | no | true | no |
false | no | false | no |
false | unset | true | no |
false | unset | false | no |
| unset | yes | true | yes |
| unset | yes | false | yes |
| unset | no | true | no |
| unset | no | false | no |
| unset | unset | true | yes |
| unset | unset | false | no |
When a namespace transitions from disabled to enabled, Citadel will retroactively generate secrets for all ServiceAccounts in that namespace. When transitioning from enabled to disabled, however, Citadel will not delete the namespace’s generated secrets until the root certificate is renewed.
