How to use Kiali with Istio to apply service mesh rules ?

Young Asian software developer working over new program
Reading Time: 6 minutes


This blog is development to the previous blog “Istio and Kubernetes Relationship”. That blog was about Service Mesh and Use of Istio with Kubernetes. In last part where we were able to monitor the flow of traffic using Kiali and Istio on the Kubernetes Cluster. Now we apply every feature of service mesh as defined in the blog “A quick guide to service mesh” using the UI dashboard of Kiali.

What is Kiali ?

As per the official documentation, Kiali is the management console for Istio Service Mesh. We install Kiali as an Istio add-on or used as part of your production environment.
It is an opensource application and even provides free learning on its YouTube channel.

The various services of Kiali include:

  • Monitor : visualize services communicating in a cluster
  • Health: this quickly identifies issues
  • Details: examining details, logs and metrics
  • Configuration: see and edit istio custom yaml configurations


  • Kubernetes Cluster with all configurations as defined in last blog.
  • Enough Resources i.e. RAM and Memory for Istio

Note: To run properly, Istio requires 4 vCPUs and 8GB of RAM

Working on Kiali

Before, we move to Kiali you can check that you have the right configurations on cluster by getting similar output as:

$ kubectl get all -n istio-system


pod/istio-ingressgateway-5f86977657-cqv56 1/1 Running 0 70m

pod/istiod-7587989b4f-6s9w5 1/1 Running 0 70m

pod/kiali-575cc8cbf-9qj6b 0/1 ContainerCreating 0 14s

pod/prometheus-6544454f65-nm65s 0/2 ContainerCreating 0 13s


service/istio-ingressgateway LoadBalancer 15021:30723/TCP,80:30373/TCP,443:30929/TCP 70m

service/istiod ClusterIP <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 70m

service/kiali ClusterIP <none> 20001/TCP,9090/TCP 15s

service/prometheus ClusterIP <none> 9090/TCP 13s


deployment.apps/istio-ingressgateway 1/1 1 1 70m

deployment.apps/istiod 1/1 1 1 70m

deployment.apps/kiali 0/1 1 0 15s

deployment.apps/prometheus 0/1 1 0 13s


replicaset.apps/istio-ingressgateway-5f86977657 1 1 1 70m

replicaset.apps/istiod-7587989b4f 1 1 1 70m

replicaset.apps/kiali-575cc8cbf 1 1 0 15s

replicaset.apps/prometheus-6544454f65 1 1 0 13s


horizontalpodautoscaler.autoscaling/istio-ingressgateway Deployment/istio-ingressgateway <unknown>/8
0% 1 5 1 70m

horizontalpodautoscaler.autoscaling/istiod Deployment/istiod <unknown>/8
0% 1 5 1 70m

Now we will start the kiali dashboard as shown in last blog and run the url on browser:

$ istioctl dashboard kiali

Kiali Dashboard
Kiali Dashboard

Cluster Traffic Visualization

  • Now we see the graph of whole cluster working click on Graph on side navigation pane.
    • Select devops in Namespace
    • In Traffic, let default config be there
    • Select “Versioned Graph”
    • In Display, select Traffic Distribution, Traffic Rate, Idle Edges, Idle Nodes, Service Nodes, Traffic Animation.
    • Click on Create graph for idle edges in middle of graph dashboard. You may see similar output
Kiali Cluster Graph
Kiali Cluster Graph
  • We need to create traffic so instead port forwarding, we run the following command to create the path using ingressgateway and ping it multiple times using watch command to create a virtual traffic:
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?("http2")].port}')

$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?("https")].port}')

$ echo "$INGRESS_HOST"

$ echo "$INGRESS_PORT"





$ echo "$GATEWAY_URL"

$ echo "http://$GATEWAY_URL/productpage"

$ watch exec curl -s -o /dev/null "http://$GATEWAY_URL/productpage"

service mesh cluster traffic graph
Cluster Graph with Traffic

Using Kiali with Istio for Traffic Shifting

The Traffic Shifting Panel allows us to select the traffic percentage to be routed to a specific workload.

  • Since it only moving to version 1 we want it to move to all in equal way for that we change the traffic rules
    • select reviews to open the info bar
    • click on reviews
service mesh Traffic Shifting
  • Now we see current traffic route
  • click on reviews
  • Now we will delete this traffic route click on Actions on right side of dashboard. Select Delete Traffic Routing.
  • Confirm the delete of virtual service and destination rule
Traffic Shifting
Traffic Shifting
  • Create New Traffic route using Traffic Shifting in Actions.
  • It can used to redirect the traffic as we want by providing the weightage. We will be using equal proportions here. In advance settings, you can change the destination. For example, we use the DNS for reviews in gateway the the istio gateway is used. Similarly in Traffic Policy you can configure TLS configurations, Loadbalancer, etc. In circuit breaker you can edit Connection setup like max connections or HTTPS Max pending Requests.
  • Click on Preview
Traffic Shifting
  • Now you can see the yaml files created new virtual service and destination rule.
  • Click on Create
  • This creates a new route
  • See it in graph in same way as done in Cluster Graph Visualization.
Traffic Shifting
New Rules Traffic Shifting
Using Kiali dashboard to show case New Cluster Graph
Cluster Graph After New Rules

Note: We perform the Next Kiali Actions in similar way till deleting step and then change

Using Kiali with Istio Fault Injection

The Fault Injection Panel allows us to inject faults to test the resiliency of a Service.


  • HTTP Delay : This specialization deals with injection of latency into the request forwarding path.
  • HTTP Abort : This specification deals with immediate abortion of a request and return a predefined status code.

Select Fault Injection from Actions, You will be able to apply the fault as per requirements.

fault inject
Fault Injection Wizard

Using Kiali with Istio for Request Routing

The Request Routing Wizard allows you to create multiple routing rules.

  • Each rule consists of a Request Matching section and a Routes To section.
  • Request Matching:
    • add multiple filters HEADERS, URI, SCHEME, METHOD or AUTHORITY HTTP parameters.
    • This can be empty, in this case any HTTP request received is matched against this rule.
  • The routes section can specify the percentage of traffic that is routed to any workload.

Similar to last Action follow steps till deletion and select Request Routing. Istio implements routing rules sequentially, thus the top-down routing is carried out by the first rule that matches an HTTP request.
The rule order can be modified using the Matching Routing Wizard.
To make the adjustments, open the wizard.

request route
Request Routing Wizard

Using Kiali with Istio for Gateways, Circuit Breaker and Traffic Policy

Traffic Routing Wizard Advanced section provides other configurations. And one available Advanced Option is to expose a Service to external traffic through an existing Gateway or to create a new Gateway for this Service.

gateway configuration
gateway configuration

Now click on Circuit Breaker,

The Wizard allows to define Circuit Breakers on Services as part of the available Advanced Options.

  • Connection Pool: for the connection limits to an upstream host.
  • Outlier Detection: implementation of the Circuit Breaker based on the consecutive errors reported.
Traffic Circuit Breaker
Traffic Circuit Breaker

Another Option is Traffic Policy, this allows defining Security and Load Balancing settings.

  • TLS section which contains settings for connections to the upstream service.
  • Generate a “Peer Authentication” resource for this Service.
  • Load balancing policies for specific destinations.
Traffic Policy
Traffic Policy

Using Kiali with Istio for Request Timeouts

Istio is used by the Request Timeouts Panel to configure request timeouts in Envoy. Repeat the steps till deletion and select Request Timeout from Action. In this wizard:

  • HTTP Timeout defines the request timeout.
  • When an HTTP request fails, HTTP Retry specifies the retry procedure to be followed.
Request TImeout
Requests Timeout


The management of certifications is one task that Kiali cannot be used for. Devops personnel set up manually using Istio. Later blogs will address the use cases that were omitted here.
I hope the readers found this blog to be useful.


This image has an empty alt attribute; its file name is image-95-1024x743.png

Written by 

Vaibhav Kumar is a DevOps Engineer at Knoldus | Part of Nashtech with experience in architecting and automating integral deployments over infrastructure. Proficient in Jenkins, Git, AWS and in developing CI pipelines. Able to perform configuration management using ansible and infrastructure management using terraform. Like to script and do developing in Python. Other than AWS, have an experience in Google Cloud, Azure cloud services. Other than Jenkins, CI/CD in Azure Pipelines, GitHub Actions, Teamcity. Loves to explore new technologies and ways to improve work with automation.