Securing Kiali in Istio 1.7

Christian Posta | August 7, 2020

At Solo.io we work with our customers to be successful with Envoy-based technology including supporting service mesh. With Istio support, we run into interesting questions that is sometime useful to share with the community. Some asked recently about securing Kiali, and upon investigation, we found some changes in Istio 1.7 (and Kiali) that we want to share with the community.

To  be clear, at the time of writing, Istio 1.7 is NOT released. It’s scheduled for August 11th, 2020. This information applies even after the 1.7 release. To learn more about Istio 1.7, you can join a livestream I’m hosting on Aug 25th with Dan Berg of the Istio project.

Kiali is deprecating certain auth strategies

Kiali comes with a few different authentication strategies which also tie into the Kubernetes RBAC capabilities:

  • login – username/password based auth
  • anonymous – basically open access
  • openshift – tie in with openshift identity provider
  • token – similar to Kubernetes dashboard; use a service-account-linked token
  • oidc – oauth flow based on OpenID connect
  • ldap – connect to an LDAP compatible identity provider

Kiali has deprecated the login and ldap strategies, which leaves us with anonymous, token, and oidc for Kubernetes installations. Skip to the last section where we demo these capabilities.

Kiali is no longer deployed with Istio

With Istio 1.7, Kiali is no longer packaged with the demo profile. Actually, very little is packged with the demo profile (just istiod, ingress-gateway, and egress-gateway) as ALL additional components  have moved to the $DIR/samples/addons folder. This makes it more obvious that the components shipped with Istio to support observability, for example, can be used in a “addon” capacity, but that each has its own community and own installation flows for any real production usage. This includes the Kiali addon which deploys a basic installation of Kiali. Refer to the Kiali community for a more realistic deployment which uses an operator to manage its lifecycle and installation. 

Reviewing Auth strategies in Kiali with Istio 1.7

In this short video, we take a look at securing Kiali’s dashboard with the anonymous (default), token, and OIDC strategies:

Looking  for Istio Support?

At Solo.io, we work with the worlds largest customers to help them succeed at adopting  Envoy and service-mesh based technologies. Please reach out if you are looking for Istio Support (consulting, dedicated support engineering, break-fix production support/expertise, etc). 

Back to Blog