How to use Kiali with Istio to apply service mesh rules ?

Young Asian software developer working over new program
Reading Time: 6 minutes

Introduction

This blog is development to the previous blog “Istio and Kubernetes Relationship”. That blog was about Service Mesh and Use of Istio with Kubernetes. In last part where we were able to monitor the flow of traffic using Kiali and Istio on the Kubernetes Cluster. Now we apply every feature of service mesh as defined in the blog “A quick guide to service mesh” using the UI dashboard of Kiali.

What is Kiali ?

As per the official documentation, Kiali is the management console for Istio Service Mesh. We install Kiali as an Istio add-on or used as part of your production environment.
It is an opensource application and even provides free learning on its YouTube channel.

The various services of Kiali include:

  • Monitor : visualize services communicating in a cluster
  • Health: this quickly identifies issues
  • Details: examining details, logs and metrics
  • Configuration: see and edit istio custom yaml configurations

Prerequisite

  • Kubernetes Cluster with all configurations as defined in last blog.
  • Enough Resources i.e. RAM and Memory for Istio

Note: To run properly, Istio requires 4 vCPUs and 8GB of RAM

Working on Kiali

Before, we move to Kiali you can check that you have the right configurations on cluster by getting similar output as:

$ kubectl get all -n istio-system

NAME READY STATUS RESTARTS AGE

pod/istio-ingressgateway-5f86977657-cqv56 1/1 Running 0 70m

pod/istiod-7587989b4f-6s9w5 1/1 Running 0 70m

pod/kiali-575cc8cbf-9qj6b 0/1 ContainerCreating 0 14s

pod/prometheus-6544454f65-nm65s 0/2 ContainerCreating 0 13s


NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
AGE

service/istio-ingressgateway LoadBalancer 10.96.84.182 10.96.84.182 15021:30723/TCP,80:30373/TCP,443:30929/TCP 70m

service/istiod ClusterIP 10.101.176.29 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 70m

service/kiali ClusterIP 10.98.6.199 <none> 20001/TCP,9090/TCP 15s

service/prometheus ClusterIP 10.111.174.15 <none> 9090/TCP 13s


NAME READY UP-TO-DATE AVAILABLE AGE

deployment.apps/istio-ingressgateway 1/1 1 1 70m

deployment.apps/istiod 1/1 1 1 70m

deployment.apps/kiali 0/1 1 0 15s

deployment.apps/prometheus 0/1 1 0 13s


NAME DESIRED CURRENT READY AGE

replicaset.apps/istio-ingressgateway-5f86977657 1 1 1 70m

replicaset.apps/istiod-7587989b4f 1 1 1 70m

replicaset.apps/kiali-575cc8cbf 1 1 0 15s

replicaset.apps/prometheus-6544454f65 1 1 0 13s


NAME REFERENCE TARGETS
MINPODS MAXPODS REPLICAS AGE

horizontalpodautoscaler.autoscaling/istio-ingressgateway Deployment/istio-ingressgateway <unknown>/8
0% 1 5 1 70m

horizontalpodautoscaler.autoscaling/istiod Deployment/istiod <unknown>/8
0% 1 5 1 70m

Now we will start the kiali dashboard as shown in last blog and run the url on browser:

$ istioctl dashboard kiali

http://localhost:20001/kiali
Kiali Dashboard
Kiali Dashboard

Cluster Traffic Visualization

  • Now we see the graph of whole cluster working click on Graph on side navigation pane.
    • Select devops in Namespace
    • In Traffic, let default config be there
    • Select “Versioned Graph”
    • In Display, select Traffic Distribution, Traffic Rate, Idle Edges, Idle Nodes, Service Nodes, Traffic Animation.
    • Click on Create graph for idle edges in middle of graph dashboard. You may see similar output
Kiali Cluster Graph
Kiali Cluster Graph
  • We need to create traffic so instead port forwarding, we run the following command to create the path using ingressgateway and ping it multiple times using watch command to create a virtual traffic:
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')

$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

$ echo "$INGRESS_HOST"

10.96.84.182

$ echo "$INGRESS_PORT"

80

$ echo "$SECURE_INGRESS_PORT"

443

$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

$ echo "$GATEWAY_URL"

10.96.84.182:80

$ echo "http://$GATEWAY_URL/productpage"

http://10.96.84.182:80/productpage

$ watch exec curl -s -o /dev/null "http://$GATEWAY_URL/productpage"

service mesh cluster traffic graph
Cluster Graph with Traffic

Using Kiali with Istio for Traffic Shifting

The Traffic Shifting Panel allows us to select the traffic percentage to be routed to a specific workload.

  • Since it only moving to version 1 we want it to move to all in equal way for that we change the traffic rules
    • select reviews to open the info bar
    • click on reviews
service mesh Traffic Shifting
  • Now we see current traffic route
  • click on reviews
  • Now we will delete this traffic route click on Actions on right side of dashboard. Select Delete Traffic Routing.
  • Confirm the delete of virtual service and destination rule
Traffic Shifting
Traffic Shifting
  • Create New Traffic route using Traffic Shifting in Actions.
  • It can used to redirect the traffic as we want by providing the weightage. We will be using equal proportions here. In advance settings, you can change the destination. For example, we use the DNS for reviews in gateway the the istio gateway is used. Similarly in Traffic Policy you can configure TLS configurations, Loadbalancer, etc. In circuit breaker you can edit Connection setup like max connections or HTTPS Max pending Requests.
  • Click on Preview
Traffic Shifting
  • Now you can see the yaml files created new virtual service and destination rule.
  • Click on Create
  • This creates a new route
  • See it in graph in same way as done in Cluster Graph Visualization.
Traffic Shifting
New Rules Traffic Shifting
Using Kiali dashboard to show case New Cluster Graph
Cluster Graph After New Rules

Note: We perform the Next Kiali Actions in similar way till deleting step and then change

Using Kiali with Istio Fault Injection

The Fault Injection Panel allows us to inject faults to test the resiliency of a Service.

NOTE:

  • HTTP Delay : This specialization deals with injection of latency into the request forwarding path.
  • HTTP Abort : This specification deals with immediate abortion of a request and return a predefined status code.

Select Fault Injection from Actions, You will be able to apply the fault as per requirements.

fault inject
Fault Injection Wizard

Using Kiali with Istio for Request Routing

The Request Routing Wizard allows you to create multiple routing rules.

  • Each rule consists of a Request Matching section and a Routes To section.
  • Request Matching:
    • add multiple filters HEADERS, URI, SCHEME, METHOD or AUTHORITY HTTP parameters.
    • This can be empty, in this case any HTTP request received is matched against this rule.
  • The routes section can specify the percentage of traffic that is routed to any workload.

Similar to last Action follow steps till deletion and select Request Routing. Istio implements routing rules sequentially, thus the top-down routing is carried out by the first rule that matches an HTTP request.
The rule order can be modified using the Matching Routing Wizard.
To make the adjustments, open the wizard.

request route
Request Routing Wizard

Using Kiali with Istio for Gateways, Circuit Breaker and Traffic Policy

Traffic Routing Wizard Advanced section provides other configurations. And one available Advanced Option is to expose a Service to external traffic through an existing Gateway or to create a new Gateway for this Service.

gateway configuration
gateway configuration

Now click on Circuit Breaker,

The Wizard allows to define Circuit Breakers on Services as part of the available Advanced Options.

  • Connection Pool: for the connection limits to an upstream host.
  • Outlier Detection: implementation of the Circuit Breaker based on the consecutive errors reported.
Traffic Circuit Breaker
Traffic Circuit Breaker

Another Option is Traffic Policy, this allows defining Security and Load Balancing settings.

  • TLS section which contains settings for connections to the upstream service.
  • Generate a “Peer Authentication” resource for this Service.
  • Load balancing policies for specific destinations.
Traffic Policy
Traffic Policy

Using Kiali with Istio for Request Timeouts

Istio is used by the Request Timeouts Panel to configure request timeouts in Envoy. Repeat the steps till deletion and select Request Timeout from Action. In this wizard:

  • HTTP Timeout defines the request timeout.
  • When an HTTP request fails, HTTP Retry specifies the retry procedure to be followed.
Request TImeout
Requests Timeout

Conclusion

The management of certifications is one task that Kiali cannot be used for. Devops personnel set up manually using Istio. Later blogs will address the use cases that were omitted here.
I hope the readers found this blog to be useful.

References

  1. https://github.com/kiali/kiali
  2. https://istio.io/latest/docs/ops/integrations/kiali/
  3. https://www.youtube.com/watch?v=WdnGdsSQLHg
This image has an empty alt attribute; its file name is image-95-1024x743.png

Written by 

Explorer of new technologies: from DevOps to Web 3