Istio ingress-gateway issue in Kiali graphs

niscoveanu.mircea · November 4, 2020, 10:14am

Hello,

I am not so experienced with Istio and Kiali but according to documentations and demo’s that I’ve seen, when viewing graphs in Kiali, it should show that the “istio-ingressgateway” is the entrypoint for the traffic in the mesh.
In my scenario, I have my microservice “hello-kubernetes” deployed in the “hello” namespace. In the same ‘hello’ namespace I have created a Gateway+VirtualTraffic in order to route the traffic through the Istio Ingress GW (installed by default in “istio-system” namespace).

In Kiali i merged the graphs for both namespaces : “istio-sytem” + “hello”. I was expecting in the graph belonging to “hello” namespace to see that the “source” of the traffic is “istio-ingressgateway” and not “unknown”.

Beside this, in the graph belonging to “istio-system” the source of traffic seems to be “istio-ingressgateway” but it shows that the other services are also in “unknown” namespaces and I do not know why .

kiali.istio-system.svc.cluster.local -> service located in “istio-system” ( but traffic is routed through the GW and VS defined in “default” namespace
hello-kubernetes.hello.svc.cluster.local -> service located in “default” namespaces.

Is this normal behavior ? Is my configuration wrong ? I have seen in many other demo’s/pictures that the “istio-ingressgateway” is also present in the graphs where microservices are deployed.

My expectation is as in the below graph -> in the “default” namespace graphs the traffic comes from the “istio-ingressgateway”.

My setup is:

Kiali UI 1.22.1
Kiali Server v1.22.1
Kiali Container v1.22.1

Components

Istio1.7.4
Prometheus2.19.0
Kubernetesv1.18.1

My configuration:

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: gateway-hello
  namespace: hello
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: vs-hello
  namespace: hello
spec:
  hosts:
  - kiali.kube-dev.avancart.local
  - hello.kube-dev.avancart.local
  gateways:
  - gateway-hello
  http:
  - match:
    - headers:
        Host:
          exact: kiali.kube-dev.avancart.local
    route:
    - destination:
        host: kiali.istio-system.svc.cluster.local
        port:
          number: 20001
  - match:
    - headers:
        Host:
          exact: hello.kube-dev.avancart.local
    route:
    - destination:
        host: hello-kubernetes.hello.svc.cluster.local
        port:
          number: 80

niscoveanu.mircea · November 11, 2020, 8:58am

Hello everyone,

Any thoughts here ? Have anyone faced same issues in Kiali Graphs with istio-ingressgateway ?

jshaughn · November 11, 2020, 4:56pm

Kiali is only showing what Istio telemetry is reporting. Sometimes this means your traffic is not flowing as you expect. Or perhaps for some reason you are getting bad telemetry. In my experience whenever Kiali shows a destination service node with a fully-qualified service name, and an unknown namespace (like what you are seeing in the green box) and also an unknown source sending to the expected service (like you are seeing in the blue box), it means Istio is failing “meta-data” exchange and you are seeing a single request broken into two parts: from the source proxy (ingress) to the requested service, and then from unknown to the target service/workload.

niscoveanu.mircea · November 12, 2020, 8:46am

@jshaughn Thank you for your reply. What should I do in this case ?
I think my setup is fine. I followed all the necessary installation steps for istio v.1.6.x and v.1.7.x (with Kubernetes 1.18 and 1.19). I get the same results. This broken meta-data not only that affects the Kiali Graphs but also the Grafana monitoring which is based on the same Prometheus metrics.
Is this a bug ?

Another example of “broken meta-data” might be this one too ?
I have the “memcache” workload and the service “memcache” in the same namespace with all the client workloads. Still, in the Kiali graphs it shows that the clients are connecting to the service “memcache.default.svc.cluster.local” -> having the “Restricted Namespace” label - which is not true.

jshaughn · November 12, 2020, 7:09pm

I can only suggest pursuing the issue with the Istio folks. You could open a github Issue, ask more in Istio Slack’s Telemetr channel, or hope for a response here.

As for Kiali, I can only recommend that you can clean up your graph using “graph hide” expressions.

niscoveanu.mircea · November 23, 2020, 10:14am

Hi,
I managed to find why my Kialy graphs were not as I expected. Everything was caused by the kubernetes services configuration -> name of the ports. It seems that is very important to name the port using the convention “protocol-portNr”. At first I only used TCP or UDP protocol but that did not help. In the end, the solution is here: https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/

  ports:
  - name: http-8081
    port: 8081
    protocol: TCP
    targetPort: 8081

Topic		Replies	Views
Routing issue or Kiali visualizing issue?	4	1132	June 2, 2020
Capture inbound traffic to ingressgateway (in multi-gateway deployment) Kiali	1	609	November 8, 2019
Ingress Gateway Bypass Virtualservice Kiali	12	1999	September 8, 2020
AKS - Istio Ingress Gateway - Kiali Config	1	725	October 14, 2022
No istio-system traffic in Kiali Kiali	2	1366	April 1, 2020

Istio ingress-gateway issue in Kiali graphs

Components

Related Topics