istioctl multicluster check
Reference for the istioctl multicluster check command.
istioctl multicluster check
Check a cluster’s multicluster ambient mesh support and status.
Synopsis
Verify multiple aspects of multicluster ambient mesh support and status. For example, you can use the ‘istioctl multicluster check’ command to check the individual readiness of each cluster before running ‘istioctl multicluster link’ to link them in a multicluster mesh, and run it again after linking to confirm that the connections were successful. The command checks the following. For more information, see the multicluster ambient mesh documentation.
- Incompatible environment variables: Relevant environment variables on istiod are supported.
- License validity: Multicluster capabilities require an Enterpise level license for Gloo Mesh.
- CNI DNS capture: Ambient DNS capture is enabled in the istio-cni-config ConfigMap for global hostname lookups.
- Pod health: Istiod, ztunnel, and east-west gateway pods must be healthy and running.
- East-west gateway status: The east-west gateway service is attached to the gateway and is assigned an address.
- Peer gateway status: The peer gateway is configured to connect to the peered cluster’s remote network, and has the topology.istio.io/cluster label set.
- Shared services: Shows globally shared services (.mesh.internal and custom Segment domains) available across clusters.
- Intermediate certificate compatibility: The root cert is compatible with all of the clusters’ intermediate certificate chains.
- Network configuration: Each cluster has a unique, properly configured network.
- Stale workload entries: In flat network topologies, checks for any outdated workload entries that must be removed.
istioctl multicluster check [flags]Examples
# Check the readiness of three clusters (alpha, beta, and gamma) for multicluster with precheck mode before linking them
istioctl multicluster check --contexts="alpha,beta,gamma" --precheck
# Check the multicluster status of three linked clusters (alpha, beta, and gamma) with verbose output
istioctl multicluster check --contexts="alpha,beta,gamma" --verbose
# Check multicluster status from extracted bug-report directories (offline, no cluster access needed)
istioctl multicluster check --directory /path/to/cluster1-bugreport --directory /path/to/cluster2-bugreportOptions
--contexts strings List of cluster contexts to check.
--directory stringArray Path(s) to extracted istioctl bug-report directories, one per cluster. Enables offline checking without cluster access.
-h, --help help for check
-p, --precheck Check for multicluster readiness, ignoring missing multicluster resources. This is useful to check the readiness of each cluster before linking them in a multicluster mesh.
-v, --verbose Print extra information about each check. This is useful to diagnose any issues with the multicluster mesh.Options inherited from parent commands
--as string Username to impersonate for the operation. User could be a regular user or a service account in a namespace
--as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
--as-uid string UID to impersonate for the operation.
--context string Kubernetes configuration context
-i, --istioNamespace string Istio system namespace (default "istio-system")
--kubeclient-timeout string Kubernetes client timeout as a time.Duration string, defaults to 15 seconds. (default "15s")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Kubernetes namespace
--out string output directory (default "/tmp/istioctl-cli-docs/1.28")