Securing Kiali in Istio 1.7

Christian Posta | August 07, 2020

At Solo.io we work with our customers to be successful with Envoy-based technology including supporting service mesh. With Istio support, we run into interesting questions that is sometime useful to share with the community. Some asked recently about securing Kiali, and upon investigation, we found some changes in Istio 1.7 (and Kiali) that we want to share with the community.

To  be clear, at the time of writing, Istio 1.7 is NOT released. It’s scheduled for August 11th, 2020. This information applies even after the 1.7 release. To learn more about Istio 1.7, you can join a livestream I’m hosting on Aug 25th with Dan Berg of the Istio project.

Kiali is deprecating certain auth strategies

Kiali comes with a few different authentication strategies which also tie into the Kubernetes RBAC capabilities:

  • login – username/password based auth
  • anonymous – basically open access
  • openshift – tie in with openshift identity provider
  • token – similar to Kubernetes dashboard; use a service-account-linked token
  • oidc – oauth flow based on OpenID connect
  • ldap – connect to an LDAP compatible identity provider

Kiali has deprecated the login and ldap strategies, which leaves us with anonymous, token, and oidc for Kubernetes installations. Skip to the last section where we demo these capabilities.

Kiali is no longer deployed with Istio

With Istio 1.7, Kiali is no longer packaged with the demo profile. Actually, very little is packged with the demo profile (just istiod, ingress-gateway, and egress-gateway) as ALL additional components  have moved to the $DIR/samples/addons folder. This makes it more obvious that the components shipped with Istio to support observability, for example, can be used in a “addon” capacity, but that each has its own community and own installation flows for any real production usage. This includes the Kiali addon which deploys a basic installation of Kiali. Refer to the Kiali community for a more realistic deployment which uses an operator to manage its lifecycle and installation. 

Reviewing Auth strategies in Kiali with Istio 1.7

In this short video, we take a look at securing Kiali’s dashboard with the anonymous (default), token, and OIDC strategies:

Looking  for Istio Support?

At Solo.io, we work with the worlds largest customers to help them succeed at adopting  Envoy and service-mesh based technologies. Please reach out if you are looking for Istio Support (consulting, dedicated support engineering, break-fix production support/expertise, etc). 

About the Author
Christian Posta Headshot 24 Christian Posta
Christian Posta (@christianposta) is Global Field CTO at Solo.io supporting customers and end users in their adoption of cloud-native technologies. He is an author for Manning and O’Reilly publications, open source contributor, blogger and sought after speaker on Envoy Proxy and Kubernetes technologies. Prior to Solo.io, Chrisitan was a Chief Architect at Red Hat, FuseSource and held engineering positions at organizations like Wells Fargo, Apollo Group, Intel.
Additional Resources
post
Improving Innovation and Compliance for Fintechs with Service Mesh

July 18, 2024

Read the Article
post
Gloo Gateway 1.17: Cloud-Native API Gateway Meets Gateway API

July 18, 2024

Read the Article
post
Using Gloo AI Gateway with LangChain

July 12, 2024

Read the Article
post
Introducing Gloo AI Gateway

July 10, 2024

Read the Article