This the multi-page printable view of this section. Click here to print.
News
1 - Release Notes
For additional information check our sprint demo videos and blogs.
1.43.0
Sprint Release: November 12nd, 2021
Features:
- Allow Kiali Graphs to show EgressGateway traffic to ServiceEntry
- (Feature Request) Support mounting existing secret into Kiali Pod
- Calculate graph importance score
- Validations - Ensure ServiceEntry has WorkloadEntry addresses
- Support getting the root namespace from Istio configuration
- ingress created by Kiali CR does not include ingress class - need new deployment.ingress setting
Please note this introduces a backward-incompatible change. Users with the prior ingress settings defined in their Kiali CR will need to make an update. Other users are not affected. The previous ingress settings were:
deployment:
ingress_enabled: <true|false>
override_ingress_yaml:
...the override yaml here...
This has been changed to the following:
deployment:
ingress:
enabled: <true|false>
override_yaml:
...the override yaml here...
- Update kiali.io docs to Kiali 1.36+
- Google OIDC allowed domains
- Include ServiceAccount info across console
- Add information about Istio overhead
Fixes:
- Workload Entry graph nodes display only “latest” version
- Kiali Documentation link from Master Head seems broken
- Crash in onCopy button in Envoy tab editors
- “More than one Gateway for the same host port combination” even with different ports
- Workload pod proxy logs shows details for Envoy app logging
1.42.0
Sprint Release: October 22nd, 2021
Features:
- Migrate to Docsy for kiali.io theme
- Add strong type mapping in Istio Kiali model
- Show mirroring info or badge on the graph
- Add a “Trendlines” option in the metrics tab
- Show gateway in istio config
- Add Sidecars on “Create Traffic Policies” namespace action
- Ability to pass custom headers to httputil.Post
- Add hostAliases field to kiali deployment manifests
- Kiali Istio dashboards incompatible with thanos-query
Fixes:
- URL parameters not persisted in inbound/outbound metric tabs
- Include Mesh Gateway in Create Traffic Routing - causes failure
- Potential Memory Leak in UI AuthenticationController
- More Sidecars on Configuration
- “missing span root” in graph side panel
1.41.0
Sprint Release: October 1st, 2021
Features:
- Add help for Graph shortcuts
- Add custom label aggregation in metrics tab
- Kiali Operator - Add ability to specify image SHA in Kiali CRs
- Improve discovery matcher process for Custom Dashboards
- Add SRE style metrics in the Overview namespace chart
- Be able to set the logging level for istio and envoy logs from Kiali UI
- Custom HTTP headers when connecting to Prometheus
- Display Envoy tab for workloads running Istio Proxy without Sidecar
Fixes:
- Workload page displays an error when accessing VirtualMachineInstance resource
- WorkloadEntry workload graph nodes have broken link
- Mesh internal ServiceEntry should be grouped in app box with workloads
- Error loading Graph - Namespace (kube-state-metrics) is excluded for Kiali
- Workloads flap between OK and Not Ready w/ Argo Rollout CR
- Unable to edit IstioConfig
- Kiali loading icon seems broken
- seg fault in IsMaistra status (found in Kiali v1.40.0)
- ansible option we use in operator code is being renamed
1.40.0
Sprint Release: September 10th, 2021
Features:
- Support exportTo validation in VirtualServices
- Add graph Factory Reset button
- Add help tooltip in the metrics tab
- Add info/tooltip on virtual service that doesn’t have a gateways section
- Support the new istio injection label
- Add indication if certificates are managed by Citadel or external tool
- Distinguish between VM based workloads and pod based workloads on the graph
- Identify and label WorkloadEntry graph nodes
- ci-kind-molecule-tests.sh should support installing OLM and testing with OLM-installed operator
- Docs and scripts regarding secrets and service accounts might need to be updated
Fixes:
- (validations) Don’t show KIA0203 when there are no VS referencing the DR subset
- Kiali Operator: Pods attempt to use auth secret when external service disabled
- Not able to build Molecule image
- Metrics charts can be too thin
- Some graph settings do not have query parms - can’t bookmark pages
- Workload’s page Actions dropdown is clickable in view_only_mode
- CRUD Permissions on events
- Kiali Login error when Prometheus fails to start
1.39.0
Sprint Release: August 20th, 2021
Features:
- generate metrics for validators
- (molecule) run molecule tests using a KinD cluster
- Remote cluster functionality should be configurable
- Update Kiali UI to latest Node.js LTS version
- Add a Molecule test to verify Grafana integration
- (operator) perform true “can_i” check to confirm the operator has correct permissions
Fixes:
- grafana-test fails - cannot look up grafana url successfully
- route created by operator doesn’t seem right
- Jaeger traces & spans fetching error
1.38
1.38.1
Mid-Sprint Release: August 6th, 2021
Fixes:
- Issues with clustering discovery
- Scripts not loading (404) on openid_error when Kiali is hosted in a subfolder (web_root: /kiali)
- Jaeger traces & spans fetching error
- helm-charts and istio addons doesn’t have default grafana in_cluster_url defined
1.38.0
Sprint Release: July 30th, 2021
Features:
- New badge/visualization for hostnames in Graph
- Enhanced logs viewing and correlation
- bump operator to newer minor-release of base image
- Add validation for “exportTo” fields of VirtualService, ServiceEntry
- Feature Request: Disable certain validations
- Display traffic scenario badges when present
- gRPC Streaming traffic
- Consider using tcp_received telemetry for graph generation
- community OLM metadata moving to new repos
- trivial case change to disconnected annotation value in operator metadata
- document the new dashboard annotations
- clean up upstream istio kiali addon install doc
- Display custom dashboards with more than two rows of graphs inside the card
- test custom dashboard overrides
- Use annotations to personalize CustomDashboards
Fixes:
- Scripts not loading (404) on openid_error when Kiali is hosted in a subfolder (web_root: /kiali)
- Issues with clustering discovery
- (operator) Playbook “create additional kiali labels…” fails due to unquoted string in label
- grafana links missing
- ERR GetAppTraces, Jaeger GRPC client error: rpc error: code = Unavailable desc = connection closed
- molecule tests need to wait for CRD to be established
- Add missing warning on VirtualService “exportTo” field
- Exposing workloads with ServiceEntries makes Kiali show non-existing Services
- Cannot fetch proxy status on Istio master (1.11)
1.37.0
Sprint Release: July 9th, 2021
Features:
- Support for custom istio injection labels and values
- Metrics page: select all/none filter
- Add Gateway/VirtualService hostnames in Service details
- Add gateway validation to VirtualServices
- Services list should show when a VirtualService/DestinationRule is applied
- Unify style attribute for config validation icons
- (multi-cluster) Enhance support for mesh deployment models
- Add help icon in Wizards
- Support for custom CA certificates in OpenID authentication
Fixes:
- The namespaces that begins with
kube
are hidden but those should be OK - Repeated queries on CustomMetrics
- kiali Cannot load the graph “invalid character ’d' looking for beginning of value”
- Duplicated application container on Workload Logs tab
- Metrics Settings are kept but not applied when switching metrics tabs
- (perf) pr #3975 introduced perf regression for /api/namespaces/bookinfo/services/details/graph endpoint
- Tooltip span not available
1.36.0
Sprint Release: June 18th, 2021
Features:
- Connect Listeners and Routes in the Envoy Config modal
- remove istio_component_namespaces config
- Research Metrics tab main layout
- Display throughput on the graph edges
- Move Envoy Details to Workload Details
- Pod table should reflect any container crash
- Consolidate Dashboards CRDs into main Kiali config, also handled via Kiali Operator
- convert community OLM metadata to new bundle format
- Add to graph indicator for Kiali scenarios
- move the support for old versions to CRD v1 when appropriate
- Internal metrics revisit
Fixes:
- Difference between App and Workload healths - causing inconsistency in Overview
- Wrong Health info at Service level
- Trace graph tooltip truncates long hostnames
- Circuit Breaker Badge is missing in the Graph
- clean up hack/istio/bookinfo* resources
- Health popover disappearing
- (helm)(operator) do not use deprecated Ingress kind - update to latest apiVersion
- Graph replay health is not correct
- Molecule tests broken for podman 3
- Possible false positive reported as violating KIA0202
- horizontal scroll problem on graph side panel trace tab detail
2 - Security Bulletins
2.1 - KIALI-SECURITY-003 - Installation into ad-hoc namespaces
Description
- Disclosure date: May 11, 2021
- Affected Releases: prior to 1.33.0
- Impact Score: 6.6 - AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
A vulnerability was found in the Kiali Operator allowing installation of a specified image into any namespace.
Kiali users are exposed to this vulnerability if all the following conditions are met:
- Kiali operator is used for installation.
- Kiali CR was edited to install an image into an unapproved namespace.
This vulnerability is filed as CVE-2021-3495
Mitigation
If you can update:
- Update to Kiali Operator v1.33.0 or later.
If you can not update:
- Ensure only trusted individuals can create or edit a Kiali CRs (resources of kind “kiali”).
2.2 - KIALI-SECURITY-002 - Authentication bypass when using the OpenID login strategy
Description
- Disclosure date: March 5, 2021
- Affected Releases: 1.26.0, 1.26.1, 1.26.2, 1.27.0, 1.28.0, 1.28.1, 1.29.0, 1.29.1, 1.30.0
- Impact Score: 7.0 - AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:X/RC:C
A vulnerability was found in Kiali allowing an attacker to bypass the authentication mechanism. The vulnerability lets an attacker build forged credentials and use them to gain unauthorized access to Kiali.
Kiali users are exposed to this vulnerability if all the following conditions are met:
- Kiali is setup with the
openid
authentication strategy. - As a result of configurations in both Kiali and your OpenID server, Kiali uses the implicit flow of the OpenID specification to negotiate authentication.
- Kiali is setup with RBAC turned off.
This vulnerability is filed as CVE-2021-20278
Mitigation
If you can update:
- Update to Kiali v1.31.0 or later.
- If you need an earlier version, only Kiali 1.26.3 and 1.29.2 are fixed.
If you are locked with an older version of Kiali, you have three options:
- Configure Kiali to use the authorization code flow of the OpenID specification; or
- Configure Kiali to use the implicit flow of the OpenID specification and enable RBAC; or
- Configure Kiali to use any of the other available authentication mechanisms.
2.3 - KIALI-SECURITY-001 - Authentication bypass using forged credentials
Description
- Disclosure date: March 25, 2020
- Affected Releases: 0.4.0 to 1.15.0
- Impact Score: 9.4 - AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
A vulnerability was found in Kiali allowing an attacker to bypass the authentication mechanism. Currently, Kiali has four authentication mechanisms: login, token, openshift and ldap. All are vulnerable.
The vulnerability lets an attacker build forged credentials and use them to gain unauthorized access to Kiali.
Additionally, it was found that Kiali credentials were not being validated properly. Depending on the authentication mechanism configured in Kiali, this could facilitate unauthorized access into Kiali with forged and/or invalid credentials.
These vulnerabilities are filed as CVE-2020-1762 and CVE-2020-1764
Detection
Use the following bash script to check if you are vulnerable:
KIALI_VERSION=$(kubectl get pods -n istio-system -l app=kiali -o yaml | sed -n 's/^.*image: .*:v\(.*\)$/\1/p' | sort -u)
kubectl get deploy kiali -n istio-system -o yaml | grep -q LOGIN_TOKEN_SIGNING_KEY
TEST_KEY_ENV=$?
kubectl get cm kiali -n istio-system -o yaml | grep signing_key | grep -vq kiali
TEST_KEY_CFG=$?
VERSION_ENTRIES=(${KIALI_VERSION//./ })
echo "Your Kiali version found: ${KIALI_VERSION}"
[ ${VERSION_ENTRIES[0]} -lt "1" ] || ([ ${VERSION_ENTRIES[0]} -eq "1" ] && (\
[ ${VERSION_ENTRIES[1]} -lt "15" ] || ([ ${VERSION_ENTRIES[1]} -eq "15" ] && ( \
[ ${VERSION_ENTRIES[2]} -le "0" ])))) && echo "Your Kiali version is vulnerable"
[ $TEST_KEY_ENV -eq 1 ] && [ $TEST_KEY_CFG -eq 1 ] && echo "Your Kiali configuration looks vulnerable"
The script output will be similar to this:
Your Kiali version found: 1.14.0
Your Kiali version is vulnerable
Your Kiali configuration looks vulnerable
Mitigation
- Update to Kiali 1.15.1 or later.
Alternatively, if you cannot update to version 1.15.1, mitigation is possible by setting a secure signing key when deploying Kiali. If you installed via Kiali operator, you could use the following bash script:
SIGN_KEY=$(chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; for i in {1..20}; do echo -n "${chars:RANDOM%${#chars}:1}"; done; echo)
kubectl get kiali -n $(kubectl get kiali --all-namespaces --no-headers -o custom-columns=NS:.metadata.namespace) -o yaml | sed "s/spec:/spec:\n login_token:\n signing_key: $SIGN_KEY/" | kubectl apply -f -
If you installed via Istio helm charts or istioctl
command, you could use the following bash script:
KIALI_INSTALL_NAMESPACE=istio-system
SIGN_KEY=$(chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; for i in {1..20}; do echo -n "${chars:RANDOM%${#chars}:1}"; done; echo)
kubectl get cm kiali -n $KIALI_INSTALL_NAMESPACE -o yaml | sed "s/server:/login_token:\\n signing_key: $SIGN_KEY\\n server:/" | kubectl apply -f -
kubectl delete pod -l app=kiali -n $KIALI_INSTALL_NAMESPACE