Getting started


Istio Maistra Kiali Notes




Kiali 0.17+ requires istio 1.1+




Older Kiali versions may work but are not supported

 For several commands listed on this page, the OpenShift CLI command oc is used to interact with the cluster environment. If you are on Kubernetes, simply replace oc with kubectl unless otherwise noted.


See Prerequisites for Kiali environment requirements.

Kiali can be installed in an OpenShift or Kubernetes cluster environment. For OpenShift only, a minimal preparation is necessary.

OpenShift Preparation

If you are installing on OpenShift, you need to grant the cluster-admin role to the user that is installing Istio and Kiali. If OpenShift is installed locally on the machine you are using, the following command should log you in as user system:admin which has this cluster-admin role:

oc login -u system:admin

Install Kiali via Istio or Maistra

  Both Istio and Maistra include Kiali distributions.

If you prefer to use the latest Kiali version, you should choose not to install Kiali during the Istio or Maistra installation procedure. Complete the Istio or Maistra installation and then Install Kiali Latest.

To install Kiali as part of the Istio installation just follow the Istio Setup docs. If you are running on OpenShift and prefer Maistra, see Maistra Setup docs. You may then continue to Open the UI.

Upgrade the Istio or Maistra Version of Kiali

The version of Kiali packaged with Istio or Maistra may not contain the most recent features and fixes. To upgrade to the latest version of Kiali first Uninstall Kiali Operator and Kiali and then proceed to Install Kiali Latest.

Install Kiali Latest

Installing the latest version of Kiali is done using the Kiali Operator. The Kiali Operator is a Kubernetes Operator. The Kiali Operator manages your Kiali installation. The Kiali Operator watches the Kiali CR (Custom Resource, yaml that holds the Kiali configuration). When you modify the Kiali CR, the operator installs, updates, or uninstalls Kiali as needed.

Below are three options for installing the Kiali Operator. If replacing an existing Kiali Operator you will be prompted for confirmation. Depending on the installation option the operator may then install Kiali. If replacing an existing Kiali you will be prompted for confirmation. For new Kiali installations you will be prompted for the authentication strategy. See Login Options for more on the login, anonymous and openshift authentication strategies. Depending on the chosen strategy the installation may prompt for additional information.

  It is only necessary to install the Kiali Operator one time. After the operator is installed you need only create or edit the Kiali CR (see Create or Edit the Kiali CR). There is no need to again perform one of the bash installations below.

Quick Install

This option installs the Kiali Operator and the Kiali CR, with default options. This is good for quick installs when the namespaces to be monitored already exist.

When the Kiali CR is created it triggers the operator to then install Kiali. Kiali will be able to access existing namespaces, but it will require a CR update to access future namespaces. See Namespace Management for more information. Run the install script via this command:

bash <(curl -L

Development Install

This option installs the Kiali Operator and the Kiali CR. It uses a non-default setting for accessible-namespaces making all current and future namespaces accessible to Kiali. This option is good for demo and development installations. This option grants special cluster role permissions and is not recommended for production. See Namespace Management for more information.

When the Kiali CR is created it triggers the operator to then install Kiali. Run the install script via this command:

bash <(curl -L --accessible-namespaces '**'

Advanced Install (Operator-Only)

This option installs only the Kiali Operator. This option is good when you plan to customize the Kiali CR.

Run the install script via this command (replacing the CR filename as needed):

bash <(curl -L --operator-install-kiali false

When the Kiali Operator is installed go to Create or Edit the Kiali CR for the customized Kiali installation.

Kiali Operator Install Script

It is not usually necessary to explicitly execute the Kiali Operator install script but it does offer a variety of options. To learn more about the script, and the available options, run the command:

bash <(curl -L --help

  The install script requires envsubst installed and in your PATH; you can get it via the GNU gettext package.

Create or Edit the Kiali CR

The Kiali Operator watches the Kiali CR (Custom Resource). Create, update, or removal of the Kiali CR will trigger the Kiali Operator to install, update, or remove Kiali. This assumes the Kiali Operator has already been installed. See Advanced Install (Operator-Only) if you need to install the Kiali Operator.

To create an initial Kiali CR file it is recommended to copy the fully documented example Kiali CR yaml file. Edit the file, being careful to maintain proper formatting, and save it to a local file (e.g. my-kiali-cr.yaml).

  It is important to understand the deployment:accessible_namespaces setting in the CR. See Accessible Namespaces for more information.

To install Kiali create the Kiali CR using the local file. To create the Kiali CR run the command:

oc apply -f my-kiali-cr.yaml -n kiali-operator

To update Kiali, edit and save the existing the Kiali CR. To edit the Kiali CR run the command (note: the default Kiali CR name is kiali):

oc edit kiali <Kiali CR name> -n kiali-operator


Uninstall Kiali Only

To remove Kiali is simple - just delete the Kiali CR. To trigger the Kiali Operator to uninstall Kiali run the command (note: the default Kiali CR name is kiali):

oc delete kiali <Kiali CR name> -n kiali-operator

At this point, you have no Kiali installed, but you still have the Kiali Operator running. You could create another Kiali CR (with potentially different configuration settings) to install a new Kiali instance.

Uninstall Kiali Operator and Kiali

To uninstall everything related to Kiali (Kiali Operator, Kiali, etc) run the command:

bash <(curl -L --uninstall-mode true

Known Problem: Uninstall Hangs

In Kiali < 0.22 using Kubernetes versions < 0.14 (Openshift version 3), there is an operator-sdk bug that can hang uninstall. This can happen when uninstalling Kiali via the Kiali Operator, or occasionally when trying to delete the namespace in which Kiali is installed. This is due to a kubernetes bug detecting finalizer completion. If you get into this hung state the following command may resolve the problem:

  If you installed the Kiali CR in a different namespace (via -own, --operator-watch-namespace), replace "kiali-operator" in the command with the namespace in which the Kiali CR is located.

oc patch kiali kiali -n kiali-operator -p '{"metadata":{"finalizers": []}}' --type=merge

Open the UI

Once Istio, Maistra or the Kiali Operator has installed Kiali, and the Kiali pod has successfully started, you can access the UI.

  The credentials you use on the login screen depend on the authentication strategy that was configured for Kiali. See Login Options for more details.

On OpenShift

If on OpenShift, you can easily find the URL to access Kiali by going to the OpenShift Console and navigating to the istio-system project’s Overview page:

OpenShift console


In this case, the Kiali URL is In your case this will be a different IP.

You can also use the oc command to determine the base URL:

oc get route -n istio-system -l app=kiali

On Kubernetes

If on Kubernetes, access Kiali over the Ingress URL. By default, Kiali web root is under /kiali.

Alternatively you can setup port forwarding to your local machine:

kubectl port-forward svc/kiali 20001:20001 -n istio-system

Additional Notes

Customize the Kiali UI web context root

By default, when installed on OpenShift, the Kiali UI is deployed to the root context path of "/" e.g. https://kiali-istio-system.<your_cluster_domain_or_ip>/. In some situations such as when you want to serve the Kiali UI along with other apps under the same host name, e.g.,,, you can edit the Kiali CR and provide a different value for web_root. Note: the path must begin with a / and not end with a / (e.g. /kiali or /mykiali).

An example of custom web root:

  web_root: /kiali

The above is actually the default when Kiali is installed on Kubernetes - so to access the Kiali UI on Kubernetes you access it at the root context path of "/kiali".

Login Options

Kiali supports three different login options.

login: This option allows a user to login into Kiali using a username and password. This is the default option if using Kubernetes.

anonymous: This option removes any login requirement. A user will not be presented the login page and will automatically have access to Kiali without having to present any credentials.

openshift: If you have deployed Kiali on OpenShift you can use this option (this is the default option if using OpenShift). With this option users will log into Kiali using the OpenShift OAuth login. What users can access in Kiali will now be based on their user roles in OpenShift using the kubernetes RBAC.

  Using the anonymous option will leave Kiali unsecured. Anyone who can access the console will have full access to Kiali. If you are using this option you will need to make sure that it is only available on a trusted network and that only trusted users can access it.

If login strategy is selected during the installation, a secret containing Kiali login credentials is required to be deployed along with Kiali. In this case, the install script will prompt you to enter a username and passphrase for the credentials that you want users to enter in order to log in successfully to Kiali. The install script will store those credentials in a secret that is deployed in the same namespace where Kiali is installed.

  If you told the install script to not create a Kiali CR (and thus not have Kiali installed yet) via the OPERATOR_INSTALL_KIALI=false environment variable, you are responsible for creating this secret if you wish to install Kiali with the authentication strategy of "login". A secret is not required if your authentication strategy is not "login". The following command is a simple way to create a secret for Kiali whose username is "admin" and passphrase is "admin":

oc create secret generic kiali -n istio-system --from-literal "username=admin" --from-literal "passphrase=admin"

For the login and anonymous login options, the content displayed in Kiali is based on the permissions of the Kiali service account. On Kubernetes, the Kiali service account has cluster wide access and will be able to display everything in the cluster. By default, in OpenShift the service account will also have access to everything in the cluster but this can be customized by following the instructions below.

For the openshift login option, the content displayed in Kiali is based on the permissions of the user who logged in via the OpenShift OAuth login page. This means that individual users will be shown different content based on their roles within OpenShift. See the section below for how to grant or remove a user’s access to specific namespaces.

The login option can be specified in the Kiali CR when installing Kiali. For instance, to use the openshift login option, the Kiali CR should contain the following in the auth section:

  strategy: openshift

OpenShift User Permissions

If you are running with the openshift login option you will need to grant a user the 'kiali' role for them to be able to properly access a namespace in Kiali.

For instance, to grant the user 'developer' access to the 'myproject' namespace, you could run the following command:

oc adm policy add-role-to-user kiali developer -n myproject

To remove the 'kiali' role from the user 'developer' in the 'myproject' namespace you can run the following command:

oc adm policy remove-role-from-user kiali developer -n myproject

Namespace Management

Accessible Namespaces

The Kiali custom resource (CR) tells the Kiali Operator which namespaces are accessible to Kiali. It is specified in the CR via the accessible_namespaces setting under the main deployment section.

The specified namespaces are those that have service mesh components to be observed by Kiali. Additionally, the namespace to which Kiali is installed must be accessible (typically the same namespace as Istio). Each list entry can be a regex matched against all namespaces the operator can see. If not set the default makes all namespaces accessible except for some internal namespaces that should typically be ignored.

As an example, if Kiali is to be installed in the istio-system namespace, and is expected to monitor all namespaces prefixed with mycorp_ the setting would be:

  - istio-system
  - mycorp_.*

  If accessible_namespaces has an entry with the special value of ** (two asterisks), it denotes that Kiali be given access to all namespaces via a single cluster role (if using this special value of **, you are required to have already granted the operator permissions to create cluster roles and cluster role bindings). It is not recommended for production but the following command will create both the Kiali operator and the Kiali CR, configured for full cluster access to current and new namespaces:

  If the operator was originally installed with --accessible_namespaces not set to **, you cannot later edit the Kiali CR and change accessible_namespaces to **. You must use the bash command below to reinstall the operator so that it can be granted the additional permissions required.

bash <(curl -L -an '**'

Excluded Namespaces

The Kiali custom resource (CR) tells the Kiali Operator which accessible namespaces should be excluded from the list of namespaces provided by the API and UI. This can be useful if wildcards are used when specifying Accessible Namespaces. This setting has no effect on namespace accessibility. It is only a filter, not security-related.

For example, if my accessible_namespaces include "mycorp_.*" but I don’t want to see test namespaces, I could add to the default entries:

    - istio-operator
    - kiali-operator
    - ibm.*
    - kube.*
    - openshift.*
    - mycorp_test.*

Reducing Permissions in OpenShift

By default, Kiali will run with its cluster role named kiali. It provides some read-write capabilities so Kiali can add, modify, or delete some service mesh resources to perform tasks such as adding and modifying Istio destination rules in any namespace.

If you prefer not to run Kiali with this read-write role across the cluster, it is possible to reduce these permissions to individual namespaces.

  This only works for OpenShift since it can return a list of namespaces that a user has access to. Know how to make this work with Kubernetes? Awesome, please let us know in this issue.

The first thing you will need to do is to remove the cluster-wide permissions that are granted to Kiali by default:

oc delete clusterrolebindings kiali

Then you will need to grant the kiali role in the namespace of your choosing:

oc adm policy add-role-to-user kiali system:serviceaccount:istio-system:kiali-service-account -n ${NAMESPACE}

You can alternatively tell the Kiali Operator to install Kiali in "view only" mode (this does work for either OpenShift or Kubernetes). You do this by setting the view_only_mode to true in the Kiali CR:

  view_only_mode: true

This allows Kiali to read service mesh resources found in the cluster, but it does not allow Kiali to add, modify, or delete them.