https://istio.io/docs/ops/architecture/#citadel

Citadel enables strong service-to-service and end-user authentication with built-in identity and credential management. You can use Citadel to upgrade unencrypted traffic in the service mesh. Using Citadel, operators can enforce policies based on service identity rather than on relatively unstable layer 3 or layer 4 network identifiers. Starting from release 0.5, you can use Istio’s authorization feature to control who can access your services.

https://istio.io/docs/tasks/security/citadel-config/
https://istio.io/docs/tasks/security/citadel-config/ca-namespace-targeting/