# Check the injection status of a pod under a deployment
  istioctl x check-inject deployment/details-v1

  # Check the injection status of a pod under a deployment in namespace test
  istioctl x check-inject deployment/details-v1 -n test

  # Check the injection status of label pairs in a specific namespace before actual injection 
  istioctl x check-inject -n test -l app=helloworld,version=v1
`,

			}
		}
	}

	clusterEndpoint = retrieveSortedEndpointClusterSlice(clusterEndpoint)
	fmt.Fprintln(w, "ENDPOINT\tSTATUS\tOUTLIER CHECK\tCLUSTER")
	for _, ce := range clusterEndpoint {
		var endpoint string
		if ce.port != 0 {
			endpoint = ce.address + ":" + strconv.Itoa(ce.port)
		} else {
			endpoint = ce.address
		}

		namespace, serviceAccount, kubeClient, multixds.DefaultOptions)
	if respErr != nil {
		return xdsResponses, respErr
	}
	_, _ = fmt.Fprint(writer, "error: according to below command list, please check all supported internal debug commands\n")
	return xdsResponses, nil
}

func HandlerForDebugErrors(kubeClient kube.CLIClient,
	centralOpts *clioptions.CentralControlPlaneOptions,
	writer io.Writer,

			for _, s := range tc.outputMatches {
				if !strings.Contains(commandOutput, s) {
					t.Fatalf("expected \"%s\" in command output, got %s", s, commandOutput)
				}
			}

			// check mutating webhooks after run
			webhooksAfter, _ := client.AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.Background(), metav1.ListOptions{})
			if len(webhooksAfter.Items) != len(tc.webhooksAfter.Items) {

	case istioctlutil.CommandParseError:
		// do nothing
	default:
		t.Errorf("Expected a CommandParseError, but got %q.", fErr)
	}

	// all of the subcommands
	rootCmd = GetRootCmd([]string{"x", "authz", "check", "--unknown-flag"})
	fErr = rootCmd.Execute()

	switch fErr.(type) {
	case istioctlutil.CommandParseError:
		// do nothing
	default:
		t.Errorf("Expected a CommandParseError, but got %q.", fErr)
	}

	listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"

	"istio.io/istio/istioctl/pkg/util/configdump"
	v3 "istio.io/istio/pilot/pkg/xds/v3"
)

// Analyzer that can be used to check authorization policy.
type Analyzer struct {
	listenerDump *envoy_admin.ListenersConfigDump
}

// NewAnalyzer creates a new analyzer for a given pod based on its envoy config.

		isAnnotated := newPod.Annotations != nil && newPod.Annotations[constants.AmbientRedirection] == constants.AmbientRedirectionEnabled
		shouldBeEnabled := util.PodRedirectionEnabled(ns, newPod)

		// We should check the latest annotation vs desired status
		changeNeeded := isAnnotated != shouldBeEnabled

		log.Debugf("Pod %s events: wasAnnotated(%v), isAnnotated(%v), shouldBeEnabled(%v), changeNeeded(%v), oldPod(%+v), newPod(%+v)",

	}
	secretDump, err := c.configDump.GetSecretConfigDump()
	if err != nil {
		return "", fmt.Errorf("sidecar doesn't support secrets: %v", err)
	}
	for _, secret := range secretDump.DynamicActiveSecrets {
		// check the ROOTCA from secret dump
		if secret.Name == "ROOTCA" {
			var returnStr string
			var returnErr error
			strCA, err := c.configDump.GetRootCAFromSecretConfigDump(secret.GetSecret())
			if err != nil {

	caDataSecret := secretTyped.
		GetValidationContext().
		GetTrustedCa().
		GetInlineBytes()

	// seems as though the most straightforward way to tell whether this is a root ca or not
	// is to check whether the inline bytes of the cert chain or the trusted ca field is zero length
	if len(certChainSecret) > 0 {
		builder.Data(string(certChainSecret))
	} else if len(caDataSecret) > 0 {
		builder.Data(string(caDataSecret))

		Example: `  # Check AuthorizationPolicy applied to pod httpbin-88ddbcfdd-nt5jb:
  istioctl x authz check httpbin-88ddbcfdd-nt5jb

  # Check AuthorizationPolicy applied to one pod under a deployment
  istioctl x authz check deployment/productpage-v1

  # Check AuthorizationPolicy from Envoy config dump file:
  istioctl x authz check -f httpbin_config_dump.json`,