Kiali releases v1.20 & v1.19 — improved filtering, new metrics, OpenID support and more

About a month has passed since the last post (which was on June 2nd). Over that month, two new versions of Kiali have been released: v1.19 and v1.20.

I hope you are already using the very latest release — which is v1.20. The latest two releases happened normally, with no special news. The demo presentations also happened normally.

• Recording of version 1.19 demo is about 20 minutes long.
• Recording of version 1.20 demo is not available, yet.

Alright! Since all went smoothly and there are no other news to share. Let’s go directly to the list of enhancements.

Enhanced label filtering in list pages

The recent introduction of the labels column in lists added the possibility to add interactivity to label filtering. Click on a label and the list will be filtered!

Logical “and” and “or” operators were added to improve filtering capabilities. The operators are shown when the Label filter is selected in the toolbar. The selected operator takes effect on the active list of chosen labels.

Show & Hide feature in logs tab

There are two new input boxes in the Logs tab of the Workloads details page, labeled Show and Hide. This is a recording showing how these input boxes work:

The Hide box will filter out log lines that contain the specified string, while the Show box will filter out log lines that do NOT contain the specified string.

An important note: filtering is case sensitive. This is properly noted in the help tooltip that appears when hovering the mouse pointer on the icon at the right of these boxes.

Additionally, the Container drop-down was restored. This drop-down was removed when the split view was introduced. It was re-added because of the understanding that pods can be composed of several containers, in addition to the sidecar.

Request and response throughput in metrics

Measured as bitrate, request throughput, and response throughput, metrics are now available in both Inbound and Outbound metrics tabs in detail pages of Applications, Workloads and Services.

A community user pointed out that, although these metrics have been available in Istio for some time, they were missing in Kiali.

Overview page re-design

The Overview now has a cleaner look and better supports feature additions.

The change was in the cards. This is how the cards looked before:

Comparing with the old look, the text of the cards in the overview page is now left-aligned; the traffic sparkline fills the horizontal space; the horizontal health bar is removed leaving only the status indicators; the navigation icons were replaced with text links under a kebab menu (three vertical dots).

As already said, the goal was to add flexibility to add new features. This was achieved with the addition of the kebab menu where new namespace-scoped features will be added.

Navigation in Graph Overview card

The Graph Overview card was introduced in Kiali v1.15. In contrast to the main graph, interaction was limited only to pan and zoom. To improve navigation across Kiali pages, the Graph Overview is now reacting to clicks to let you navigate to the detail page of the clicked node.

This is not only improving navigation, but also usability. Should you already found in the Graph Overview a node that is relevant to inspect, you no longer need to find a link to its details page on other parts of the page. Just use what you already found within the Graph Overview.

Support for creation of PeerAuthentication and RequestAuthentication resources

The wizard for creating Istio resources was enhanced with support for PeerAuthentication and RequestAuthentication Istio resources:

With the added support for these two resources and the already existent support for creating AuthorizationPolicy resources, Kiali should be armed with the needed tools to let you control mutual TLS and end-user authentication for your service mesh.

New Istio config validations

There are six newly added validations. This is the list:

• KIA0208 — PeerAuthentication enabling mTLS found, permissive mode needed
• KIA0502 — More than one selector-less PeerAuthentication in the same namespace
• KIA0503 — More than one PeerAuthentication applied to the same workload
• KIA0504 — No matching workload found for PeerAuthentication selector in this namespace
• KIA0505 — Destination Rule disabling namespace-wide mTLS is missing
• KIA0506 — Destination Rule disabling mesh-wide mTLS is missing

The website documentation provides a good explanation and sample configurations triggering the warnings or errors. Links to the website documentation are provided in the list above.

There is one validation that changed:

• KIA1108 — Preferred nomenclature: <gateway namespace>/<gateway name>. Previously was: KIA1108 — Destination field is mandatory

Login through an OpenID provider

This comes with the aim to solve several community issues about ways to authenticate into Kiali. With all the reported issues around authentication, we learned that most Kiali options didn’t suit user needs.

Frankly, we didn’t want to spend a lot of time implementing authentication mechanisms. That isn’t part of Kiali goals. Since Kubernetes has authentication support with OpenID Connect, we decided to implement authentication using OpenID providers. This delegates authentication and authorization to external parties as much as possible; i.e., authentication is performed by an OpenId provider, and authorization is performed by the Kubernetes RBAC system. We hope that the broad range of available OpenID providers gives the flexibility to integrate Kiali with a broad choice of authentication systems.

With the new OpenID authentication strategy in place, we are deprecating the “login” and “LDAP” strategies, which are too limited. Both are going to be removed in a future release.

Read the relevant section in the Getting Started guide to learn how to setup the new OpenID authentication strategy.

Support for more Istio custom resources

In the Istio Config page, support for listing and inspecting the following Istio custom resources was added:

• Handler
• Instance
• AttributeManifest
• EnvoyFilter
• HttpAPISpec
• HttpAPISpecBinding

All but EnvoyFilter are resources related to the deprecated Istio Mixer. This provides completeness of configuration inspection in case you are still using Istio’s Mixer for telemetry collection.

The EnvoyFilter resource has been in Istio for a while. Also, support is added for completeness.

Stay in touch

That’s the update of the latest two releases. Remember that Kiali is OpenSource and we encourage people to contribute to the project!

I remind you that Kiali project has a Twitter account. Follow us, and contribute! It’s not only about coding, reporting issues and providing feedback. You can also contribute by spreading to the world about Kiali. It’s as easy as giving us a retweet to increase reach ;)