Go back to index

1. What is Kiali?

Kiali provides answers to the questions: What are the microservices in my Istio service mesh, and how are they connected?

Demo Website
Figure 1. Kiali Graph

A Microservice Architecture breaks up the monolith into many smaller pieces that are composed together. Patterns to secure the communication between services like fault tolerance (via timeout, retry, circuit breaking, etc.) have come up as well as distributed tracing to be able to see where calls are going.

A service mesh can now provide these services on a platform level and frees the application writers from those tasks. Routing decisions are done at the mesh level.

Kiali works with Istio, in OpenShift or Kubernetes, to visualize the service mesh topology, to provide visibility into features like circuit breakers, request rates and more. It offers insights about the mesh components at different levels, from abstract Applications to Services and Workloads.

     Kiali also includes Jaeger Tracing to provide distributed tracing out of the box.

2. What does it do?

2.1. Graph View

Kiali provides an interactive graph view of your namespace in real time, being able to display the interactions at several levels (applications, versions, workloads), with contextual information and charts on the selected graph node or edge.

Demo Website
Figure 2. Kiali Graph


2.2. Applications

The Applications menu entry shows all the applications running in our environment.

Demo Website
Figure 3. List of Applications

Kiali provides detailed information related to the application, such as its health or the list of its workloads. The health summary comes with detailed information of multiple indicators in a tooltip.  

Demo Website
Figure 4. Application Info

Kiali also displays Istio metrics associated with an application.  

Demo Website
Figure 5. Application Metrics


2.3. Workloads

The Workloads menu entry shows the list of workloads with their health, error rate and labels validations.  

Demo Website
Figure 6. List of Workloads

By selecting a workload, the related information is displayed along with the associated pods and services.  

Demo Website
Figure 7. Workload Info


2.4. Services

The Services menu entry shows the list of services with their health and error rate.

When selecting a single service, its details page includes service ip, ports, endpoints, workloads, destination rules, virtual services and more details.

Inbound/outbound metrics are displayed for this service and a more detailed view is available in a linked Grafana dashboard.

Demo Website
Figure 8. Service Info


2.5. Istio Config

The Istio Config menu entry displays a list of all of the available Istio configuration objects that exist in the user’s environment.

Demo Website
Figure 9. List of Istio Configs

You can view, edit and delete the configuration yaml around a specific Istio object.  

Demo Website
Figure 10. Istio Config View


Demo Website
Figure 11. Valid Configuration of Istio Config

Kiali will highlight configuration errors.  

Demo Website
Figure 12. Invalid Configuration of Istio Config


2.6. Validations performed

This section lists all the validations that Kiali performs on all Istio configurations. Most of these validations are done in addition to/on top of the existing ones performed by Istio’s Galley component (except those marked as deprecated). Most validations are done inside a single namespace only, any exceptions (such as gateways) are marked below.

Table 1. List of destination rule validations
Validation message Severity Description Source Example

More than one Destination Rule for the same host subset combination


Warning shown when two Destination Rules point to the same host and share one or more subsets. If non-local mTLS is enabled this check is ignored.

source code


This host has no matching workloads


When one destination rule has a host that doesn’t exist. This checks against any workload, service names as well as service entries

source code


This subset’s labels are not found in any matching host


There isn’t any workload for this host matching its labels with the ones from that subset

source code


MeshPolicy enabling mTLS is missing


When there is a DestinationRule enabling mTLS mesh-wide, but there isn’t any MeshPolicy enabling mTLS

source code


Table 2. List of virtual service validations
Validation message Severity Description Source Example

VirtualService is pointing to a non-existent gateway


When the virtual service has a specified a gateway that doesn’t exist

source code


DestinationWeight on route doesn’t have a valid service (host not found)


When a destination weight has a host that doesn’t exist. This checks against service names as well as service entries

source code


VirtualService doesn’t define any route protocol


When a Virtual Service doesn’t define any tcp, http or tls routes

source code


More than one Virtual Service for same host


When two virtual services point to the same host. This includes hosts with wildcards also.

source code


Subset not found


When there is no subset defined in any destination rule

source code


Destination field is mandatory


When a Destination field within a DestinationWeight is empty

source code


(Deprecated) Weight must be a number


When a destination weight is not a number

source code


(Deprecated) Weight should be between 0 and 100


When a destination weight is > 100 or < 0

source code


(Deprecated) Weight sum should be 100


When the sum of all the weights for a protocol doesn’t sum up to 100

source code


(Deprecated) All routes should have weight


When weight sum is different from 100 and one or more destination weights have no weight, but the rest have.

source code


Table 3. List of Gateway validations
Validation message Severity Description Source Example

More than one Gateway for the same host port combination


When two or more gateways (from same or different namespace) point to the same host-port combination

source code


Table 4. List of MeshPolicy validations
Validation message Severity Description Source Example

Mesh-wide Destination Rule enabling mTLS is missing


When there is a MeshPolicy enabling mTLS, but there isn’t any mesh-wide Destination Rule enabling mTLS

source code


2.7. Istio Wizards

Kiali provides different actions to create, update and delete Istio configuration driven by Wizards. These actions are located under Service Details page.

Service Istio Actions
Figure 13. Service Details Actions

These actions are enabled by default.
Kiali can also be installed in "view only" mode to restrict any write operation on Istio configuration.
Check Kiali Operator CR to get more details about how to configure this option.

2.7.1. Weighted Routing Wizard

This wizard allows to select the percentage of traffic that will be routed to a specific Workload.

Weighted Routing
Figure 14. Weighted Routing Wizard

Kiali will create a pair of Istio resources (VirtualService and DestinationRule) with a single routing rule using the selected weights for the destination workloads.

2.7.2. Matching Routing Wizard

The Matching Routing Wizard allows to create multiple routing rules.

Every rule is composed by a Matching and a Routes section.

The Matching section can add multiple filters using HEADERS, URI, SCHEME, METHOD or AUTHORITY Http parameters. The Matching section can be empty, on this case, any http request received is matched against this rule.

The Routes section can select one or multiple Workloads.

Istio applies routing rules in order, meaning that first rule that matches an HTTP request, it is responsible to perform the routing. The Matching Routing Wizard allows to change order of rules.

Matching Routing
Figure 15. Matching Routing Wizard

In the same way that the previous Wizard, Kiali will create a pair of Istio resources mapping the routing rules defined into the generated VirtualService.

2.7.3. Suspend Traffic Wizard

This wizard helps user to stop partially or totally traffic for a service. It allows to define which workloads will receive traffic.

When traffic is suspended for all workloads, Istio will return an error code to any Service request.

Suspend Traffic
Figure 16. Suspend Routing Wizard

When there is traffic for some workload, the wizard will map a weighted rule; when there is not traffic, an abort rule will be coded in the pair of Istio resources VirtualService and DestinationRule generated.

2.7.4. Advanced Options

All previous wizards have an "advanced options" section where user can define specific configuration for TLS and LoadBalancing.

Advanced Options
Figure 17. Advanced options section

When mTLS is enabled by default in the global cluster or namespace this option is already preselected.

2.7.5. More Wizard examples

The following article Kiali: Observability in Action for Istio Service Mesh describes more examples of how to use the Kiali Wizards to configure Istio configuration.

2.8. Distributed Tracing

Clicking on Distributed Tracing menu item will open a new tab with the Jaeger UI for tracing services.