Kiali Logo

Installation Guide

Prerequisites

Kiali Version Requirements

Kiali requires a supported version of Istio. The Istio news page posts end-of-support (EOL) dates. Supported Kiali versions include only the Kiali version bundled with Istio, or newer.

Version Compatibility

Istio Kiali Notes

1.7.0+

1.22.1+

Istio 1.7 istioctl will no longer install Kiali. Use the Istio samples/addons all-in-one yaml or the Kiali Helm Chart for quick demo installs.

1.6.0+

1.18.1+

Istio 1.6 introduces CRD and Config changes, Kiali 1.18+ may not offer the best experience when used with Istio < 1.6.

1.5.1+

1.15.2+

Avoid Istio v1.5.0 for security reasons. Kiali 1.18+ is best with Istio 1.6+

⇐ 1.4

n/a

Out of support, users should use Istio >= 1.5

 If you are running Red Hat OpenShift Service Mesh (RH OSSM) then use only the bundled version of Kiali.

Browser Version Requirements

Kiali requires a modern web browser and supports the last two versions of Chrome, Firefox, Safari or Edge.

Hardware Requirements

Any machine capable of running Red Hat OpenShift/OKD should also be able to run Kiali. For production environments this usually means:

  • For masters: 16GB RAM, 4vCPUs, 40GB of hard disk space.

  • For nodes: 8GB RAM, 1vCPU, 16GB of hard disk space.

For development the requirements are lower, depending on how demanding your applications are, and how many services you’re planning on running at the same time on your machine. Of course, your situation may vary, so plan accordingly. Keep in mind that Kiali is not especially demanding of your machine resources and, as an isolated part of your environment, should not affect your applications throughput or latency.

For more, see the OKD install documentation.

Helm Requirements

If you are going to install the Helm Chart, you must use Helm 3. You can install Helm by following the Helm installation docs.

OpenShift Requirements

If you are installing on OpenShift, you must grant the cluster-admin role to the user that is installing Istio and Kiali. If OpenShift is installed locally on the machine you are using, the following command should log you in as user system:admin which has this cluster-admin role:

  oc login -u system:admin

 For most commands listed on this page the Kubernetes CLI command kubectl is used to interact with the cluster environment. On OpenShift you can simply replace kubectl with oc, unless otherwise noted.

Installation

  If you previously installed Kiali through some other mechanism, you must uninstall it first using that original mechanism’s uninstall procedures. There is no migration path between older installation mechanisms and the install mechanisms explained below.

Quick Install

If you want to install for demos or just to "kick the tires" on Kiali, it may be easier to install using the Quick Start instructions instead.

Install Kiali via Istio or Maistra

  Starting with Istio 1.7, Kiali is no longer shipped with the istioctl installer. If you are using an Istio implementation of version 1.7 or higher, skip this section and go on to the next.

If you prefer to use the latest Kiali version, complete the Istio or Maistra installation and then Install Kiali Latest.

To install Kiali as part of the Istio installation just follow the Istio Setup docs. If you are running on OpenShift and prefer Maistra, see Maistra Setup docs. You may then continue to Open the UI.

Upgrade the Istio or Maistra Version of Kiali

The version of Kiali packaged with Istio or Maistra may not contain the most recent features and fixes. To upgrade to the latest version of Kiali first Uninstall Kiali Operator and Kiali and then proceed to Install Kiali Latest.

Install Kiali Latest

Installing the latest version of Kiali is done using the Kiali Operator. The Kiali Operator is a Kubernetes Operator. The Kiali Operator manages your Kiali installation. The Kiali Operator watches the Kiali Custom Resource (CR), a YAML file that holds the Kiali configuration. When you modify the Kiali CR, the operator installs, updates, or uninstalls Kiali as needed.

The next few sections describe the different installation methods available for installing the Kiali Operator. Depending on the installation method you use, the operator may then install Kiali. Before you install Kiali, you will want to know which authentication strategy Kiali should use (this determines how users are to log into Kiali). See Login Options for more on the login, anonymous, ldap, openshift, token and openid authentication strategies.

  It is only necessary to install the Kiali Operator one time. After the operator is installed you need only create or edit the Kiali CR (see Create or Edit the Kiali CR). The Kiali ConfigMap will be managed by the Kiali Operator and should not be manually edited. As soon as the Kiali operator is installed and running, there is no need to again perform one of the installations below.

OperatorHub

For production environments that have OperatorHub installed (OpenShift comes with OperatorHub out-of-box), you may want to install Kiali Operator using OperatorHub. Simply go to the OperatorHub console and install Kiali Operator. At that point, you can create the Kiali CR to install Kiali.

Helm Chart

For production environments that do not have OperatorHub, it is recommended that you use the Kiali Operator Helm Chart located on the Kiali Helm Chart Repository at https://kiali.org/helm-charts.

  The Kiali Operator Helm Chart requires Helm v3

The Kiali Operator Helm Chart is configurable. You can see the default values.yaml here.

To install the latest Kiali Operator along with a Kiali CR (which triggers a Kiali Server to be installed in istio-system namespace) using the Helm Chart, you can run this:

$ kubectl create namespace kiali-operator
$ helm install \
    --set cr.create=true \
    --set cr.namespace=istio-system \
    --namespace kiali-operator \
    --repo https://kiali.org/helm-charts \
    kiali-operator \
    kiali-operator

  To install a specific version X.Y.Z, simply pass --version X.Y.Z to the helm command

This installation method gives Kiali access to existing namespaces as well as namespaces created later. See Namespace Management for more information if you want to change that behavior.

Operator-Only Install

To install only the Kiali Operator and not a Kiali CR, simply pass --set cr.create=false to the helm command. This option is good when you plan to customize the Kiali CR and the resulting Kiali Server installation.

After the Kiali Operator is installed and running, go to Create or Edit the Kiali CR for the customized Kiali installation.

Create or Edit the Kiali CR

The Kiali Operator watches the Kiali CR. Creating, updating, or removing a Kiali CR will trigger the Kiali Operator to install, update, or remove Kiali. This assumes the Kiali Operator has already been installed.

To create an initial Kiali CR file it is recommended to copy the fully documented example Kiali CR YAML file. Edit that file being careful to maintain proper formatting, and save it to a local file such as my-kiali-cr.yaml.

  It is important to understand the deployment.accessible_namespaces setting in the CR. See Accessible Namespaces for more information.

  The Kiali ConfigMap will be managed by the Kiali Operator and should not be manually edited.

To install Kiali, create the Kiali CR using the local file by running a command similar to this (note: the typical Kiali CR is normally installed in the Istio control plane namespace):

  kubectl apply -f my-kiali-cr.yaml -n istio-system

To update Kiali, edit and save the existing Kiali CR; for example:

  kubectl edit kiali kiali -n istio-system

Open the UI

Once Istio, Maistra, or the Kiali Operator has installed Kiali, and the Kiali pod has successfully started, you can access the UI. Please, check the FAQ: How do I access Kiali UI?

  The credentials you use on the login screen depend on the authentication strategy that was configured for Kiali. See Login Options for more details.

Uninstall

Uninstall Kiali Only

To remove Kiali is simple - just delete the Kiali CR. To trigger the Kiali Operator to uninstall Kiali run a command similar to this (note: the typical Kiali CR name is kiali and you normally install it in the Istio control plane namespace):

  kubectl delete kiali kiali -n istio-system

Once deleted, you have no Kiali installed, but you still have the Kiali Operator running. You could create another Kiali CR with potentially different configuration settings to install a new Kiali instance.

Uninstall Kiali Operator and Kiali

If you installed Kiali Operator using OperatorHub, use OperatorHub to uninstall. Otherwise, to uninstall everything related to Kiali (Kiali Operator, Kiali, etc.) you will want to use Helm.

To uninstall, first you must ensure all Kiali CRs that are being watched by the operator are deleted. This gives the operator a chance to uninstall the Kiali Servers before you remove the operator itself.

  If you fail to delete the Kiali CRs first, your cluster may not be able to delete the namespace where the CR is deployed and remnants from the Kiali Server will not be deleted.

After you have successfully deleted the Kiali CRs, then you can uninstall the Kiali Operator using Helm. Because Helm does not delete CRDs, you have to do that in order to clean up everything. For example:

  helm uninstall --namespace kiali-operator kiali-operator
  kubectl delete monitoringdashboards.monitoring.kiali.io
  kubectl delete kialis.kiali.io

Known Problem: Uninstall Hangs

If the uninstall hangs (typically due to failing to delete all Kiali CRs prior to uninstalling the operator) the following may help to resolve the problem. You basically want to clear the finalizer from the Kiali CRs causing the hang.

  If you installed the Kiali CR in a different namespace, replace istio-system in the command with the namespace in which the Kiali CR is located. The below command also assumes the Kiali CR is named kiali.

  kubectl patch kiali kiali -n istio-system -p '{"metadata":{"finalizers": []}}' --type=merge

Note that even if this fixes the hang problem, you may still have remnants of the Kiali Server in your cluster. You will manually need to delete those resources.

Additional Notes

Customize the Kiali UI web context root

By default, when installed on OpenShift, the Kiali UI is deployed to the root context path of "/", for example https://kiali-istio-system.<your_cluster_domain_or_ip>/. In some situations, such as when you want to serve the Kiali UI along with other apps under the same host name, for example, example.com/kiali, example.com/app1, you can edit the Kiali CR and provide a different value for web_root. The path must begin with a / and not end with a / (e.g. /kiali or /mykiali).

An example of custom web root:

server:
  web_root: /kiali
  ...

The above is the default when Kiali is installed on Kubernetes - so to access the Kiali UI on Kubernetes you access it at the root context path of /kiali.

Login Options

Kiali supports several different login options.

login: This option allows a user to log in to Kiali using a username and password. This is the default option if using Kubernetes.

  The login strategy is deprecated and it will be removed in a following release. As an alternative, use the token strategy, which provides similar authentication experience to the Kubernetes Dashboard.

anonymous: This option removes any login requirement. A user will not be presented the login page and will automatically have access to Kiali without having to present any credentials.

ldap: This option allows a user to log in to Kiali using a username and passphrase that is authenticated via a backend LDAP server. This option requires that you configure additional settings in the Kiali CR under auth.ldap - see below for an example. If you want to use this option, you cannot use the operator deploy script to configure Kiali for you - you must create the Kiali CR and either pass it to the deploy script via --kiali-cr or do not have the script deploy a Kiali CR (--operator-install-kiali=false) but instead deploy the Kiali CR directly into your cluster yourself.

  The ldap strategy is deprecated and it will be removed in a following release. As an alternative, use the openid strategy and use an OpenID provider that supports LDAP integration.

openshift: If you have deployed Kiali on OpenShift you can use this option (this is the default option if you’re using OpenShift). With this option, users log in to Kiali with the OpenShift OAuth login. What users can access in Kiali will now be based on their user roles in OpenShift using the Kubernetes RBAC.

token: This option allows a user to log in to Kiali using a Service Account token. This is similar to the login view of Kubernetes Dashboard. When using this option, the cluser RBAC will take effect and users can access only what is allowed to the Service Account.

openid: This option allows a user to log in to Kiali using an external identity provider that implements OpenID Connect. When using this option, the cluser RBAC will take effect and users can access only what is allowed via the cluster’s authorization mechanisms. This strategy requires that your Kubernetes cluster is configured to accept tokens issued from your identity provider. See the dedicated OpenID section of this page for more information.

  Using the anonymous option will leave Kiali unsecured. Anyone who can access the console will have full access to Kiali. If you are using this option you will need to make sure that it is only available on a trusted network and that only trusted users can access it.

If login strategy is selected during the installation, a secret containing Kiali login credentials is required to be deployed along with Kiali. In this case, the install script will prompt you to enter a username and passphrase for the credentials that you want users to enter in order to log in successfully to Kiali. The install script will store those credentials in a secret that is deployed in the same namespace where Kiali is installed.

  If you configured the install script not to install a Kiali CR (and thus not have Kiali installed yet) via the operator-install-kiali=false option, you are responsible for creating this secret if you wish to install Kiali with the authentication strategy of "login". A secret is not required if your authentication strategy is not "login". The following command is a simple way to create a secret for Kiali whose user name is "admin" and password is "admin":

  kubectl create secret generic kiali -n istio-system --from-literal "username=admin" --from-literal "passphrase=admin"

For the login, anonymous, and ldap login options, the content displayed in Kiali is based on the permissions of the Kiali service account. On Kubernetes, the Kiali service account has cluster wide access and will be able to display everything in the cluster. By default, in OpenShift the service account will also have access to everything in the cluster but this can be customized by following the instructions below.

For the openshift login option, the content displayed in Kiali is based on the permissions of the user who logged in via the OpenShift OAuth login page. This means that individual users will be shown different content based on their roles within OpenShift. See the section below for how to grant or remove a user’s access to specific namespaces.

The login option can be specified in the Kiali CR when installing Kiali. For instance, to use the openshift login option, the Kiali CR should contain the following in the auth section:

auth:
  strategy: openshift

LDAP

  The ldap strategy is deprecated and it will be removed in a following release. As an alternative, use the openid strategy and use an OpenID provider that supports LDAP integration.

The ldap login option requires additional settings in the auth.ldap section. For example:

auth:
  strategy: ldap
  ldap:
    ldap_base: "DC=example,DC=com"
    ldap_bind_dn: "CN={USERID},OU=xyz,OU=Users,OU=Accounts,DC=example,DC=com"
    ldap_group_filter: "(cn=%s)"
    ldap_host: "ldap-service.ldap-namespace"
    ldap_insecure_skip_verify: true
    ldap_mail_id_key: "mail"
    ldap_member_of_key: "memberOf"
    ldap_port: 123
    ldap_role_filter: ".*xyz.*"
    ldap_search_filter: "(&(name={USERID}))"
    ldap_use_ssl: false
    ldap_user_filter: "(cn=%s)"
    ldap_user_id_key: "cn"

An expanation for those LDAP configuration settings are given below:

  • ldap_base: The starting point from where Kiali will search for users.

  • ldap_bind_dn: The template used to try to authenticate a user. There must be a user ID to match this template in order to be able to log in to Kiali.

  • ldap_group_filter: This is used to get the groups of the user. If the group is part of Common Name (CN), the filter will be something like (cn=%s).

  • ldap_host: The host IP of the LDAP server.

  • ldap_insecure_skip_verify: If true, Kiali will not attempt to verify the LDAP server’s certificate when using SSL.

  • ldap_mail_id_key: The attribute that is used to retrieve the mail id of the user from the LDAP server.

  • ldap_member_of_key: The attribute that is used to retrieve the member groups of the user from the LDAP server.

  • ldap_port: The port that the LDAP server is listening to.

  • ldap_role_filter: Used to filter the user roles based on the regular expression provided.

  • ldap_search_filter: Used to get the user details from LDAP.

  • ldap_use_ssl: When true, Kiali will send requests to the LDAP server using the secure SSL protocol.

  • ldap_user_filter: Used to search for the given user name.

  • ldap_user_id_key: The attribute that is used to retrieve the user ID of the user from the LDAP server.

The configuration settings that are required to be set in order to use the LDAP authentication strategy are:

  • ldap_base

  • ldap_bind_dn

  • ldap_host

  • ldap_port

Kiali will not start if those settings are not present.

OpenID Connect

The openid login strategy requires additional settings in the auth.openid section. The minimal required attributes are client_id and issuer_uri. For example:

auth:
  strategy: openid
  openid:
    client_id: "kiali-client"
    issuer_uri: "https://openid.issuer.com"

Please, check the kiali_cr.yaml file of the Kiali operator repository to learn about all available options for configuring the openid strategy.

The openid strategy requires that your Kubernetes cluster is configured to accept tokens generated by your identity provider. If your cluster is not properly configured, authentication will fail and users won’t be able to log in to Kiali. Because of this, the value of client-id, issuer_uri and username_claim configuration options in Kiali are required to match the --oidc-client-id, --oidc-issuer-url and --oidc-username-claim flags used to start the cluster API server. If one or more of these values don’t match, users might fail to log in to Kiali.

Kiali uses the OpenID identity of the logged in user to make calls to the cluster API. Because of this, the openid strategy is RBAC-enabled and only users with privileges on the cluster will be able to log in to Kiali. Depending on the options you provided in the Kiali operator CR, there will be a ClusterRole named either kiali or kiali-viewer that you can use to assign privileges. For example, to assign privileges to the john@example.com OpenId user in the testing namespace, you could run the following command:

kubectl create rolebinding john-openid-binding --clusterrole=kiali --user="john@example.com" --namespace=testing

By assigning privileges this way, the user will be able to use Kiali and inspect only the testing namespace. If you need to assign cluster-wide permissions, assign privileges using a ClusterRoleBinding:

kubectl create clusterrolebinding john-openid-clusterbinding --clusterrole=kiali --user="john@example.com"

  If you need to assign a more limited set of privileges, it’s possible to use the kiali or kiali-viewer ClusterRoles as a base for creating your own customized Roles or ClusterRoles. Then, bind the users these customized roles. Do not edit the kiali nor the kiali-viewer ClusterRoles becuase they are binded to the Kiali ServiceAccount and editing them may lead to Kiali not working properly.

OpenShift User Permissions

If you are running with the openshift login option you will need to grant a user the 'kiali' role for them to be able to properly access a namespace in Kiali.

For instance, to grant the user 'developer' access to the 'myproject' namespace, you could run the following command:

  oc adm policy add-role-to-user kiali developer -n myproject

To remove the 'kiali' role from the user 'developer' in the 'myproject' namespace you can run the following command:

  oc adm policy remove-role-from-user kiali developer -n myproject

Namespace Management

Accessible Namespaces

The Kiali CR tells the Kiali Operator which namespaces are accessible to Kiali. It is specified in the CR via the accessible_namespaces setting under the main deployment section.

The specified namespaces are those that have service mesh components to be observed by Kiali. Additionally, the namespace to which Kiali is installed must be accessible (typically the same namespace as Istio). Each list entry can be a regex matched against all namespaces the operator can see. If not set in the Kiali CR, then the default behavior makes all current namespaces accessible except for some internal namespaces that should typically be ignored.

As an example, if Kiali is to be installed in the istio-system namespace, and is expected to monitor all namespaces prefixed with mycorp_ the setting would be:

deployment:
  accessible_namespaces:
  - istio-system
  - mycorp_.*

  If accessible_namespaces has an entry with the special value of ** (two asterisks), it denotes that Kiali be given access to all namespaces that exist or will be created in the future via a single cluster role.

  If the operator was installed via Helm but not installed with the option clusterRoleCreator: true then you cannot later edit the Kiali CR and change accessible_namespaces to **. You must reinstall the operator so that it can be granted the additional permissions required (--set clusterRoleCreator=true). Note that by default the Kiali Operator Helm Chart will install the operator with clusterRoleCreator set to true.

Maistra supports multi-tenancy and the accessible_namespaces extends that feature to Kiali. However, explicit naming of accessible namespaces can benefit non-Maistra installations as well - with it Kiali does not need cluster roles and the Kiali Operator does not need permissions to create cluster roles.

Excluded Namespaces

The Kiali CR tells the Kiali Operator which accessible namespaces should be excluded from the list of namespaces provided by the API and UI. This can be useful if wildcards are used when specifying Accessible Namespaces. This setting has no effect on namespace accessibility. It is only a filter, not security-related.

For example, if my accessible_namespaces include "mycorp_.*" but I don’t want to see test namespaces, I could add to the default entries:

namespaces:
  exclude:
    - istio-operator
    - kiali-operator
    - ibm.*
    - kube.*
    - openshift.*
    - mycorp_test.*

Namespace Selectors

Kiali supports an optional label selector for namespaces which is used to fetch a subset of the available namespaces.

The label selector is defined under the namespaces definition.

The example below selects all namespaces that have a label kiali-enabled: true:

namespaces:
  label_selector: kiali-enabled=true

For further information on how the label_selector interacts with deployment.accessible_namespaces read the technical documentation.

To label a namespace, you can use the following command, for more information see the :official documentation

  kubectl label namespace xxx kiali-enabled=true

Note that when using multiple service meshes (i.e. multiple control planes) in the same cluster, you will want to set the label selector’s value to a value unique to each mesh. This is so each mesh’s Kiali instance will only select those namespaces within that mesh.

For an example of using Kiali in this kind of soft multi-tenancy mode, see the [Maistra](https://github.com/Maistra/istio-operator) project.

This is the reason why this label_selector will be defined by default to the value of kiali.io/member-of: <istio_namespace> if the deployment.accessible_namespaces is set to something other than the "all namespaces" value ['**']. This allows you to have multiple control planes in the same cluster and have each control plane contain its own Kiali instance.

Reducing Permissions in OpenShift

By default, Kiali will run with its cluster role. It provides some read-write capabilities so Kiali can add, modify, or delete some service mesh resources to perform tasks such as adding and modifying Istio destination rules in any namespace.

If you prefer not to run Kiali with this read-write role across the cluster, it is possible to reduce these permissions to individual namespaces.

  This only works for OpenShift since it can return a list of namespaces that a user has access to. Know how to make this work with Kubernetes? Awesome, please let us know in this issue.

The first thing you will need to do is to remove the cluster-wide permissions that are granted to Kiali by default:

  oc delete clusterrolebindings kiali

Then you will need to grant the kiali role in the namespace of your choosing:

  oc adm policy add-role-to-user kiali system:serviceaccount:istio-system:kiali-service-account -n ${NAMESPACE}

You can alternatively tell the Kiali Operator to install Kiali in "view only" mode (this does work for either OpenShift or Kubernetes). You do this by setting the view_only_mode to true in the Kiali CR:

deployment:
  view_only_mode: true
  ...

This allows Kiali to read service mesh resources found in the cluster, but it does not allow Kiali to add, modify, or delete them.

Development Install

This option installs the latest Kiali Operator and Kiali Server images from the master branch. It also allows Kiali to access all current and future namespaces. This option is good for demo and development installations.

kubectl create namespace kiali-operator
helm install \
  --set cr.create=true \
  --set cr.namespace=istio-system \
  --set cr.spec.deployment.image_version=latest \
  --set image.tag=latest \
  --namespace kiali-operator \
  --repo https://kiali.org/helm-charts \
  kiali-operator \
  kiali-operator