On this page
istioctl bootstrap
Reference for the istioctl bootstrap command.
istioctl bootstrap
Generate a bootstrap token to run Istio ambient mode anywhere.
Synopsis
‘istioctl bootstrap’ generates a token that can be used to connect a ztunnel instance to an ambient mesh on any platform.
The command takes the name of the service account you want to use as a single argument, and outputs a single token. You can then transfer this token to the machine you want to run the ztunnel on, or use it directly on the same machine.
To automatically infer as much information as possible, this command makes the following assumptions:
- Istiod’s CA certificate is stored in the ‘istio-ca-root-cert’ ConfigMap by default. Advanced use cases, such as using a load balancer to terminate TLS, are not yet supported.
- Istiod is exposed externally either via the ‘istiod’ LoadBalancer Service, or via a LoadBalancer Service with the label ‘istio.io/expose-istiod: port_number’.
istioctl bootstrap [flags]
Examples
# Generate a bootstrap token for the 'productpage' service account and use it to launch a ztunnel instance.
BOOTSTRAP_TOKEN=$(istioctl bootstrap productpage) ztunnel
# Generate a bootstrap token for the 'productpage' service account in the namespace 'bookinfo'.
istioctl bootstrap productpage --namespace bookinfo
# Generate a bootstrap token for the 'productpage' service account.
# The workload runs somewhere without direct network connectivity. This setup requires an east-west gateway.
istioctl bootstrap productpage --external
Options
--external If set to true, the workload is external to the network. This setting is useful if you want to run the ztunnel on a machine that is not part of the cluster network.
-h, --help help for bootstrap
--platform string The platform this workload runs on. Supported values: [ecs]
-s, --service-account string The service account the workload runs as. The service account represents the workload in the cluster, so that istiod treats it the same way as any other pod in the ambient mesh. If you later want to apply Istio resources to your workload, you can use this service account and namespace in the resource configuration.
Options inherited from parent commands
--as string Username to impersonate for the operation. User could be a regular user or a service account in a namespace
--as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
--as-uid string UID to impersonate for the operation.
--context string Kubernetes configuration context
-i, --istioNamespace string Istio system namespace (default "istio-system")
--kubeclient-timeout string Kubernetes client timeout as a time.Duration string, defaults to 15 seconds. (default "15s")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Kubernetes namespace
--out string output directory (default "/tmp/istioctl-cli-docs/1.28")