Skip to main content

Step 3: Verify your installation

Once the installer completes, verify that the Ziti components and support services are running correctly before proceeding.

Set up your shell session

If you installed using K3s, run the following commands to set up your current shell session:

export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
source /etc/profile.d/nf_help_menu.sh

These commands only need to be run once after the initial install — new shell sessions pick up these settings automatically.

note

If you are using a bring-your-own Kubernetes cluster, your KUBECONFIG is already configured. You still need to source the profile script to load the nf-* shortcut commands into your session:

source /etc/profile.d/nf_help_menu.sh

Verify deployment health

Run nf-status to check the status of all NetFoundry deployments across the ziti, support, and cert-manager namespaces:

nf-status

All deployments should show the expected replica count in the READY column (e.g., 1/1). If any deployments show 0/1, investigate with kubectl describe on the corresponding pod.

For more detail, check individual namespaces with kubectl:

kubectl get pods -n ziti
kubectl get pods -n support

All pods should show a Running status with all containers ready. If any pods show CrashLoopBackOff, Error, or Pending, see Troubleshooting for diagnostic steps.

Review installation notes

The installer generates an INSTALL-NOTES.txt file containing your ZAC URL, admin credentials, support tool URLs, and helm upgrade commands. View these notes at any time:

nf-install-notes

Access the Ziti API via CLI

The Ziti CLI is installed as part of the quickstart and can be used to manage your network directly from the command line. To authenticate with the controller, run:

nf-login

This retrieves the admin credentials from Kubernetes secrets and logs you into the Ziti controller automatically. Once logged in, you can use ziti edge commands to list and manage identities, services, policies, routers, and other resources. For example:

ziti edge list identities
ziti edge list services

Access the Ziti Admin Console (ZAC)

The Ziti Admin Console (ZAC) is a web-based UI that ships with the controller and deploys alongside it. Use it to manage your Ziti network, including identities, services, and policies.

  • Console URL: Navigate to https://<your-controller-advertise-address>/zac in your browser. The port is part of the advertise address you configured during installation—don't append a separate port number.

  • Initial credentials: The installer generates administrator credentials during setup. Run nf-install-notes to view them. To retrieve the admin password directly from Kubernetes secrets:

    kubectl get secrets ziti-controller-admin-secret -n ziti \
      -o go-template='{{index .data "admin-password" | base64decode}}'

  • Certificate warning: The installation uses a self-signed CA, so your browser will display a security warning on first access. You can proceed past the warning or import the Ziti root CA into your browser's trust store.

Verify support tool access

If you installed the Ziti network resources for support tools during setup, confirm they were created successfully.

In ZAC, navigate to the services list to verify that Ziti services and policies have been created for Grafana, Kibana, and Elasticsearch.

If the Ziti edge tunnel was installed as a host identity, verify it is running:

kubectl get pods -n support -l app=ziti-edge-tunnel

The support tools are accessible over Ziti using the intercept addresses configured during installation (by default grafana.ziti, kibana.ziti, and elasticsearch.ziti). To access them, enroll the support-user.jwt token generated during installation with a Ziti client (Desktop Edge, mobile tunneler, or CLI tunneler).

For full details on intercept addresses, default credentials, and configuration options, see the support stack overview.

Troubleshoot common issues

SymptomResolution
Pods stuck in PendingCheck node resources with kubectl describe node and verify sufficient CPU/memory
LoadBalancer has no external IPVerify your cluster supports LoadBalancer services or check cloud provider config
Cannot reach ZAC in browserConfirm DNS is resolving to the correct LoadBalancer address and the advertise port is accessible
Certificate errors in browserExpected with self-signed CA—proceed past the warning or import the root CA

Check Kubernetes events

Kubernetes events often reveal the root cause of pod failures, scheduling issues, or volume problems. To view recent events across the relevant namespaces:

kubectl get events -n ziti --sort-by='.metadata.creationTimestamp'
kubectl get events -n support --sort-by='.metadata.creationTimestamp'

Installer log files

The installer creates log files in the installation directory that are useful for diagnosing issues:

  • install.log — Full output from the quickstart installer, including all commands and their results.
  • kubectl_events_<timestamp>.log — Kubernetes events captured automatically if the installer encounters an error.

Contact support

If you are unable to resolve an issue, run nf-support-bundle to collect diagnostics and logs into a zip file. Include this bundle along with install.log and any kubectl_events_*.log files when contacting NetFoundry support.

For more detailed troubleshooting, see the troubleshooting guide.