Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Kiali Operator provided by Red Hat

4.1. Using Kiali Operator provided by Red Hat
Copy link

Once you have added your application to the mesh, you can use Kiali Operator provided by Red Hat to view the data flow through your application.

4.1.1. About Kiali
Copy link

You can use Kiali Operator provided by Red Hat to view configurations, monitor traffic, and analyze traces in a single console. It is based on the open source Kiali project.

Kiali Operator provided by Red Hat is the management console for Red Hat OpenShift Service Mesh. It provides dashboards, observability, and robust configuration and validation capabilities. It shows the structure of your service mesh by inferring traffic topology and displays the health of your mesh. Kiali provides detailed metrics, powerful validation, access to Grafana, and strong integration with the Red Hat OpenShift distributed tracing platform (Tempo).

The following steps show how to install the Kiali Operator provided by Red Hat.

Warning

Do not install the Community version of the Operator. The Community version is not supported.

Prerequisites

  • Access to the Red Hat OpenShift Service Mesh web console.

Procedure

  1. Log in to the Red Hat OpenShift Service Mesh web console.
  2. Navigate to Operators OperatorHub.
  3. Type Kiali into the filter box to find the Kiali Operator provided by Red Hat.
  4. Click Kiali Operator provided by Red Hat to display information about the Operator.
  5. Click Install.
  6. On the Operator Installation page, select the stable Update Channel.
  7. Select All namespaces on the cluster (default). This installs the Operator in the default openshift-operators project and makes the Operator available to all projects in the cluster.

  8. Select the Automatic Approval Strategy.

    Note

    The Manual approval strategy requires a user with appropriate credentials to approve the Operator installation and subscription process.

  9. Click Install.
  10. The Installed Operators page displays the Kiali Operator’s installation progress.

4.1.3. Configuring OpenShift Monitoring with Kiali
Copy link

The following steps show how to integrate the Kiali Operator provided by Red Hat with user-workload monitoring.

Prerequisites

  • Red Hat OpenShift Service Mesh is installed.
  • User-workload monitoring is enabled. See Enabling monitoring for user-defined projects.
  • OpenShift Monitoring has been configured with Service Mesh. See "Configuring OpenShift Monitoring with Service Mesh".
  • Kiali Operator provided by Red Hat 2.4 is installed.

Procedure

  1. Create a ClusterRoleBinding resource for Kiali:

    Example ClusterRoleBinding configuration

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kiali-monitoring-rbac
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-monitoring-view
subjects:
- kind: ServiceAccount
  name: kiali-service-account
  namespace: istio-system
    Copy to Clipboard Toggle word wrap

  2. Create a Kiali resource and point it to your Istio instance:

    Example Kiali resource configuration

    apiVersion: kiali.io/v1alpha1
kind: Kiali
metadata:
  name: kiali-user-workload-monitoring
  namespace: istio-system
spec:
  external_services:
    prometheus:
      auth:
        type: bearer
        use_kiali_token: true
      thanos_proxy:
        enabled: true
      url: https://thanos-querier.openshift-monitoring.svc.cluster.local:9091
    Copy to Clipboard Toggle word wrap

  3. When the Kiali resource is ready, get the Kiali URL from the Route by running the following command: 

    $ echo "https://$(oc get routes -n istio-system kiali -o jsonpath='{.spec.host}')"
    Copy to Clipboard Toggle word wrap
  4. Follow the URL to open Kiali in your web browser.
  5. Navigate to the Traffic Graph tab to check the traffic in the Kiali UI.

You can integrate Red Hat OpenShift distributed tracing platform with Kiali Operator provided by Red Hat, which enables the following features:

  • Display trace overlays and details on the graph.
  • Display scatterplot charts and in-depth trace/span information on detail pages.
  • Integrated span information in logs and metric charts.
  • Offer links to the external tracing UI.

After you integrate Kiali Operator provided by Red Hat with Red Hat OpenShift distributed tracing platform, you can view distributed traces in the Kiali console. Viewing traces provides insight into the communication between services within the service mesh, helping you understand how requests are flowing through your system and where potential issues might reside.

Prerequisites

  • You installed Red Hat OpenShift Service Mesh.
  • You configured distributed tracing platform with Red Hat OpenShift Service Mesh.

Procedure

  1. Update the Kiali resource spec configuration for tracing:

    Example Kiali resource spec configuration for tracing

    spec:
  external_services:
    tracing:
      enabled: true
    1 
    
      provider: tempo
    2 
    
      use_grpc: false
      internal_url: https://tempo-sample-gateway.tempo.svc.cluster.local:8080/api/traces/v1/default/tempo
    3 
    
      external_url: https://tempo-sample-gateway-tempo.apps-crc.testing/api/traces/v1/default/search
    4 
    
      health_check_url: https://tempo-sample-gateway-tempo.apps-crc.testing/api/traces/v1/default/tempo/api/echo
    5 
    
      auth:
    6 
    
        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
        insecure_skip_verify: false
        type: bearer
        use_kiali_token: true
      tempo_config:
         url_format: "jaeger"
    7
    Copy to Clipboard Toggle word wrap

    1
    Specifies whether tracing is enabled.
    2
    Specifies either distributed tracing platform (Tempo) or distributed tracing platform (Jaeger). The distributed tracing platform can expose a Jaeger API or a Tempo API.
    3
    Specifies the internal URL for the Tempo API. When you deploy the distributed tracing platform in multitenancy, include the tenant name in the URL path of the internal_url parameter. In this example, default represents the tenant name.
    4
    Specifies the OpenShift route for the Jaeger UI. When you deploy the distributed tracing platform in multitenancy, the gateway creates the route. Otherwise, you must create the route in the Tempo namespace. You can manually create the route for the tempo-sample-query-frontend service or update the Tempo custom resource with .spec.template.queryFrontend.jaegerQuery.ingress.type: route.
    5
    Specifies the health check URL. Not required by default. When you deploy the distributed tracing platform in multitenancy, it does not expose the default health check URL. This is an example of a valid health URL.
    6
    Specifies the configuration used when the access URL is HTTPS or requires authentication. Not required by default.
    7
    Specifies the configuration that defaults to grafana. Not required by default. Change to jaeger if the Kiali View in tracing link redirects to the Jaeger console UI.
  2. Save the updated spec in kiali_cr.yaml.

  3. Run the following command to apply the configuration: 

    $ oc patch -n istio-system kiali kiali --type merge -p "$(cat kiali_cr.yaml)"
    Copy to Clipboard Toggle word wrap

    Example output:

     kiali.kiali.io/kiali patched
    Copy to Clipboard Toggle word wrap

Verification

  1. Run the following command to get the Kiali route: 

    $ oc get route kiali ns istio-system
    Copy to Clipboard Toggle word wrap
  2. Navigate to the Kiali UI.
  3. Navigate to Workload Traces tab to see traces in the Kiali UI.

4.2. Using OpenShift Service Mesh Console plugin
Copy link

The OpenShift Service Mesh Console (OSSMC) plugin extends the OpenShift Container Platform web console with a Service Mesh menu and enhanced tabs for workloads and services.

4.2.1. About OpenShift Service Mesh Console plugin
Copy link

The OpenShift Service Mesh Console (OSSMC) plugin is an extension to OpenShift Container Platform web console that provides visibility into your Service Mesh.

Warning

The OSSMC plugin supports only one Kiali instance, regardless of its project access scope.

The OSSMC plugin provides a new category, Service Mesh, in the main OpenShift Container Platform web console navigation with the following menu options:

Overview
Provides a summary of your mesh, displayed as cards that represent the namespaces in the mesh.
Traffic Graph
Provides a full topology view of your mesh, represented by nodes and edges. Each node represents a component of the mesh and each edge represents traffic flowing through the mesh between components.
Istio config
Provides a list of all Istio configuration files in your mesh, with a column that provides a quick way to know if the configuration for each resource is valid.
Mesh
Provides detailed information about the Istio infrastructure status. It shows an infrastructure topology view with core and add-on components, their health, and how they are connected to each other.

In the web console Workloads details page, the OSSMC plugin adds a Service Mesh tab that has the following subtabs:

Overview
Shows a summary of the selected workload, including a localized topology graph showing the workload with all inbound and outbound edges and nodes.
Traffic
Shows information about all inbound and outbound traffic to the workload.
Logs
Shows the logs for the workload’s containers. You can see container logs individually ordered by log time and how the Envoy sidecar proxy logs relate to your workload’s application logs. You can enable the tracing span integration, which allows you to see which logs correspond to trace spans.
Metrics
Shows inbound and outbound metric graphs in the corresponding subtabs. All the workload metrics are here, providing a detailed view of the performance of your workload. You can enable the tracing span integration, which allows you to see which spans occurred at the same time as the metrics. With the span marker in the graph, you can see the specific spans associated with that timeframe.
Traces
Provides a chart showing the trace spans collected over the given timeframe. The trace spans show the most low-level detail within your workload application. The trace details further show heatmaps that provide a comparison of one span in relation to other requests and spans in the same timeframe.
Envoy
Shows information about the Envoy sidecar configuration.

In the web console Networking details page, the OSSMC plugin adds a Service Mesh tab similar to the Workloads details page.

In the web console Projects details page, the OSSMC plugin adds a Service Mesh tab that provides traffic graph information about that project. It is the same information shown in the Traffic Graph page but specific to that project.

You can install the OSSMC plugin with the Kiali Operator by creating a OSSMConsole resource with the corresponding plugin settings. It is recommended to install the latest version of the Kiali Operator, even while installing a previous OSSMC plugin version, as it includes the latest z-stream release.

Expand
Table 4.1. OSSM version compatibility
OSSM versionKiali Server versionOSSMC plugin versionOCP version

3.0

v2.4

v2.4

4.15+

2.6

v1.73

v1.73

4.15-4.18

2.5

v1.73

v1.73

4.14-4.18

Note

OSSMC plugin is only supported on OpenShift Container Platform 4.15 and above. For OpenShift Container Platform 4.14 users, only the standalone Kiali console is accessible.

You can install the OSSMC plugin by using the OpenShift Container Platform web console or the OpenShift CLI (oc).

You can install the OpenShift Service Mesh Console (OSSMC) plugin by using the OpenShift Container Platform web console.

Prerequisites

  • You have the administrator access to the OpenShift Container Platform web console.
  • You have installed the OpenShift Service Mesh (OSSM).
  • You have installed the Istio control plane from OSSM 3.0.
  • You have installed the Kiali Server 2.4.

Procedure

  1. Navigate to Installed Operators.
  2. Click Kiali Operator provided by Red Hat.
  3. Click Create instance on the Red Hat OpenShift Service Mesh Console tile. You can also click Create OSSMConsole button under the OpenShift Service Mesh Console tab.

  4. Use the Create OSSMConsole form to create an instance of the OSSMConsole custom resource (CR). Name and Version are the required fields.

    Note

    The Version field must match with the spec.version field in your Kiali custom resource (CR). If Version value is the string default, the Kiali Operator installs OpenShift Service Mesh Console (OSSMC) with the same version as the operator. The spec.version field requires the v prefix in the version number. The version number must only include the major and minor version numbers (not the patch number); for example: v1.73.

  5. Click Create.

Verification

  1. Wait until the web console notifies you that the OSSMC plugin is installed and prompts you to refresh.
  2. Verify that the Service Mesh category is added in the main OpenShift Container Platform web console navigation.

4.2.2.2. Installing OSSMC plugin by using the CLI
Copy link

You can install the OpenShift Service Mesh Console (OSSMC) plugin by using the OpenShift CLI.

Prerequisites

  • You have access to the OpenShift CLI (oc) on the cluster as an administrator.
  • You have installed the OpenShift Service Mesh (OSSM).
  • You have installed the Istio control plane from OSSM 3.0.
  • You have installed the Kiali Server 2.4.

Procedure

  1. Create a OSSMConsole custom resource (CR) to install the plugin by running the following command: 

    $ cat <<EOM | oc apply -f -
apiVersion: kiali.io/v1alpha1
kind: OSSMConsole
metadata:
  namespace: openshift-operators
  name: ossmconsole
spec:
  version: default
EOM
    Copy to Clipboard Toggle word wrap
    Note

    The OpenShift Service Mesh Console (OSSMC) version must match with the Kiali Server version. If spec.version field value is the string default or is not specified, the Kiali Operator installs OSSMC with the same version as the operator. The spec.version field requires the v prefix in the version number. The version number must only include the major and minor version numbers (not the patch number); for example: v1.73.

    The plugin resources deploy in the same namespace as the OSSMConsole CR.

  2. Optional: If more than one Kiali Server is installed in the cluster, specify the spec.kiali setting in the OSSMC CR by running a command similar to the following example: 

    $ cat <<EOM | oc apply -f -
apiVersion: kiali.io/v1alpha1
kind: OSSMConsole
metadata:
  namespace: openshift-operators
  name: ossmconsole
spec:
  kiali:
    serviceName: kiali
    serviceNamespace: istio-system-two
    servicePort: 20001
EOM
    Copy to Clipboard Toggle word wrap

Verification

  1. Go to the OpenShift Container Platform web console.
  2. Verify that the Service Mesh category is added in the main OpenShift Container Platform web console navigation.
  3. If the OSSMC plugin is not installed yet, wait until the web console notifies you that the OSSMC plugin is installed and prompts you to refresh.

You can uninstall the OSSMC plugin by using the OpenShift Container Platform web console or the OpenShift CLI (oc).

You must uninstall the OSSMC plugin before removing the Kiali Operator. Deleting the Operator first may leave OSSMC and Kiali CRs stuck, requiring manual removal of the finalizer. Use the following command with <custom_resource_type> as kiali or ossmconsole to remove the finalizer, if needed: 

$ oc patch <custom_resource_type> <custom_resource_name> -n <custom_resource_namespace> -p '{"metadata":{"finalizers": []}}' --type=merge
Copy to Clipboard Toggle word wrap

You can uninstall the OpenShift Service Mesh Console (OSSMC) plugin by using the OpenShift Container Platform web console.

Procedure

  1. Navigate to Installed Operators.
  2. Click Kiali Operator.
  3. Select the OpenShift Service Mesh Console tab.
  4. Click Delete OSSMConsole option from the entry menu.
  5. Confirm that you want to delete the plugin.

You can uninstall the OpenShift Service Mesh Console (OSSMC) plugin by using the OpenShift CLI (oc).

Procedure

  • Remove the OSSMC custom resource (CR) by running the following command: 

    $ oc delete ossmconsoles <custom_resource_name> -n <custom_resource_namespace>
    Copy to Clipboard Toggle word wrap

Verification

  • Verify all the CRs are deleted from all namespaces by running the following command: 

    $ for r in $(oc get ossmconsoles --ignore-not-found=true --all-namespaces -o custom-columns=NS:.metadata.namespace,N:.metadata.name --no-headers | sed 's/  */:/g'); do oc delete ossmconsoles -n $(echo $r|cut -d: -f1) $(echo $r|cut -d: -f2); done
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat