How to use Kiali with Istio to apply service mesh rules ?

Reading Time: 6 minutes

Introduction

This blog is development to the previous blog “Istio and Kubernetes Relationship”. That blog was about Service Mesh and Use of Istio with Kubernetes. In last part where we were able to monitor the flow of traffic using Kiali and Istio on the Kubernetes Cluster. Now we apply every feature of service mesh as defined in the blog “A quick guide to service mesh” using the UI dashboard of Kiali.

What is Kiali ?

As per the official documentation, Kiali is the management console for Istio Service Mesh. We install Kiali as an Istio add-on or used as part of your production environment.
It is an opensource application and even provides free learning on its YouTube channel.

The various services of Kiali include:

• Monitor : visualize services communicating in a cluster
• Health: this quickly identifies issues
• Details: examining details, logs and metrics
• Configuration: see and edit istio custom yaml configurations

Prerequisite

• Kubernetes Cluster with all configurations as defined in last blog.
• Enough Resources i.e. RAM and Memory for Istio

Note: To run properly, Istio requires 4 vCPUs and 8GB of RAM

Working on Kiali

Before, we move to Kiali you can check that you have the right configurations on cluster by getting similar output as:

$ kubectl get all -n istio-system

NAME                                        READY   STATUS              RESTARTS   AGE

pod/istio-ingressgateway-5f86977657-cqv56   1/1     Running             0          70m

pod/istiod-7587989b4f-6s9w5                 1/1     Running             0          70m

pod/kiali-575cc8cbf-9qj6b                   0/1     ContainerCreating   0          14s

pod/prometheus-6544454f65-nm65s             0/2     ContainerCreating   0          13s


NAME                           TYPE           CLUSTER-IP      EXTERNAL-IP    PORT(S)                                      
AGE

service/istio-ingressgateway   LoadBalancer   10.96.84.182    10.96.84.182   15021:30723/TCP,80:30373/TCP,443:30929/TCP   70m

service/istiod                 ClusterIP      10.101.176.29   <none>         15010/TCP,15012/TCP,443/TCP,15014/TCP        70m

service/kiali                  ClusterIP      10.98.6.199     <none>         20001/TCP,9090/TCP                           15s

service/prometheus             ClusterIP      10.111.174.15   <none>         9090/TCP                                     13s


NAME                                   READY   UP-TO-DATE   AVAILABLE   AGE

deployment.apps/istio-ingressgateway   1/1     1            1           70m

deployment.apps/istiod                 1/1     1            1           70m

deployment.apps/kiali                  0/1     1            0           15s

deployment.apps/prometheus             0/1     1            0           13s


NAME                                              DESIRED   CURRENT   READY   AGE

replicaset.apps/istio-ingressgateway-5f86977657   1         1         1       70m

replicaset.apps/istiod-7587989b4f                 1         1         1       70m

replicaset.apps/kiali-575cc8cbf                   1         1         0       15s

replicaset.apps/prometheus-6544454f65             1         1         0       13s


NAME                                                       REFERENCE                         TARGETS         
MINPODS   MAXPODS   REPLICAS   AGE

horizontalpodautoscaler.autoscaling/istio-ingressgateway   Deployment/istio-ingressgateway   <unknown>/8
0%   1         5         1          70m

horizontalpodautoscaler.autoscaling/istiod                 Deployment/istiod                 <unknown>/8
0%   1         5         1          70m

Now we will start the kiali dashboard as shown in last blog and run the url on browser:

$ istioctl dashboard kiali

http://localhost:20001/kiali

Cluster Traffic Visualization

• Now we see the graph of whole cluster working click on Graph on side navigation pane.
  • Select devops in Namespace
  • In Traffic, let default config be there
  • Select “Versioned Graph”
  • In Display, select Traffic Distribution, Traffic Rate, Idle Edges, Idle Nodes, Service Nodes, Traffic Animation.
  • Click on Create graph for idle edges in middle of graph dashboard. You may see similar output

• We need to create traffic so instead port forwarding, we run the following command to create the path using ingressgateway and ping it multiple times using watch command to create a virtual traffic:

$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')

$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

$ echo "$INGRESS_HOST"

10.96.84.182

$ echo "$INGRESS_PORT"

80

$ echo "$SECURE_INGRESS_PORT"

443

$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

$ echo "$GATEWAY_URL"

10.96.84.182:80

$ echo "http://$GATEWAY_URL/productpage"

http://10.96.84.182:80/productpage

$ watch  exec curl -s -o /dev/null "http://$GATEWAY_URL/productpage"


Using Kiali with Istio for Traffic Shifting

The Traffic Shifting Panel allows us to select the traffic percentage to be routed to a specific workload.

• Since it only moving to version 1 we want it to move to all in equal way for that we change the traffic rules
  • select reviews to open the info bar
  • click on reviews

• Now we see current traffic route
• click on reviews
• Now we will delete this traffic route click on Actions on right side of dashboard. Select Delete Traffic Routing.
• Confirm the delete of virtual service and destination rule

• Create New Traffic route using Traffic Shifting in Actions.
• It can used to redirect the traffic as we want by providing the weightage. We will be using equal proportions here. In advance settings, you can change the destination. For example, we use the DNS for reviews in gateway the the istio gateway is used. Similarly in Traffic Policy you can configure TLS configurations, Loadbalancer, etc. In circuit breaker you can edit Connection setup like max connections or HTTPS Max pending Requests.
• Click on Preview

• Now you can see the yaml files created new virtual service and destination rule.
• Click on Create
• This creates a new route
• See it in graph in same way as done in Cluster Graph Visualization.

Note: We perform the Next Kiali Actions in similar way till deleting step and then change

Using Kiali with Istio Fault Injection

The Fault Injection Panel allows us to inject faults to test the resiliency of a Service.

NOTE:

• HTTP Delay : This specialization deals with injection of latency into the request forwarding path.
• HTTP Abort : This specification deals with immediate abortion of a request and return a predefined status code.

Select Fault Injection from Actions, You will be able to apply the fault as per requirements.

Using Kiali with Istio for Request Routing

The Request Routing Wizard allows you to create multiple routing rules.

• Each rule consists of a Request Matching section and a Routes To section.
• Request Matching:
  • add multiple filters HEADERS, URI, SCHEME, METHOD or AUTHORITY HTTP parameters.
  • This can be empty, in this case any HTTP request received is matched against this rule.
• The routes section can specify the percentage of traffic that is routed to any workload.

Similar to last Action follow steps till deletion and select Request Routing. Istio implements routing rules sequentially, thus the top-down routing is carried out by the first rule that matches an HTTP request.
The rule order can be modified using the Matching Routing Wizard.
To make the adjustments, open the wizard.

Using Kiali with Istio for Gateways, Circuit Breaker and Traffic Policy

Traffic Routing Wizard Advanced section provides other configurations. And one available Advanced Option is to expose a Service to external traffic through an existing Gateway or to create a new Gateway for this Service.

Now click on Circuit Breaker,

The Wizard allows to define Circuit Breakers on Services as part of the available Advanced Options.

• Connection Pool: for the connection limits to an upstream host.
• Outlier Detection: implementation of the Circuit Breaker based on the consecutive errors reported.

Another Option is Traffic Policy, this allows defining Security and Load Balancing settings.

• TLS section which contains settings for connections to the upstream service.
• Generate a “Peer Authentication” resource for this Service.
• Load balancing policies for specific destinations.

Using Kiali with Istio for Request Timeouts

Istio is used by the Request Timeouts Panel to configure request timeouts in Envoy. Repeat the steps till deletion and select Request Timeout from Action. In this wizard:

• HTTP Timeout defines the request timeout.
• When an HTTP request fails, HTTP Retry specifies the retry procedure to be followed.

Conclusion

The management of certifications is one task that Kiali cannot be used for. Devops personnel set up manually using Istio. Later blogs will address the use cases that were omitted here.
I hope the readers found this blog to be useful.

References

1. https://github.com/kiali/kiali
2. https://istio.io/latest/docs/ops/integrations/kiali/
3. https://www.youtube.com/watch?v=WdnGdsSQLHg