News

• 1: Release Notes
• 2: Security Bulletins
• 2.1: KIALI-SECURITY-003 - Installation into ad-hoc namespaces
• 2.2: KIALI-SECURITY-002 - Authentication bypass when using the OpenID login strategy
• 2.3: KIALI-SECURITY-001 - Authentication bypass using forged credentials

1 - Release Notes

For additional information check our sprint demo videos and blogs.

1.47.0

Sprint Release: February 25th, 2022

Features:

• Allow dynamic markers on editor according to Istio config object
• Introduce “preview” mode in Istio Config actions
• Add Istio Config Preview under wizard actions under istio config page
• Refactor Kiali Validations to better use the Istio registry information
• Refactor Kiali Validations according to Istio Registry usage model for listing Configs and Services
• Add Istio Config Preview under wizard actions under service details page
• Add graph generator for creating mock graph data

Fixes:

• (operator) CSV should define skipRange
• namespace excludes default regexes should only filter out namespaces that “starts-with” the patterns.
• Fix “xxx is not found as xxx” issue

1.46.0

Sprint Release: February 4th, 2022

Features:

• Add prerequisites in quick-start kiali.io to try kiali
• Create and sync namespace caches on startup
• publish the auto-generated docs for the kiali cr
• Instrument Kiali server with Jaeger
• Deprecate Iter8 extension in favor of a new model
• Validations: Support exportTo field

Fixes:

• Gateway Validation References - Contains self reference
• invalid link in kiali.io doc page istio.md
• Graph hide can hang browser when zoomed out enough to hide labels
• auth is broken according to molecule tests
• Trend lines feature broken in master

1.45.0

Sprint Release: January 14th, 2022

Features:

• Hide graph labels that are too small to read
• Add preview mode in overview page
• Graph: Correctly badge service nodes with the VS/Route icon
• (graph) Enable namespace and cluster boxing by default
• tests should use latest minikube and dex to keep up to date
• Support exportTo validation in ServicesEntries
• (operator) update operator to base image 1.10.1 (4.9)

Fixes:

• Jaeger http legacy protocol has problems in master
• Adjust font style in trace details comparison map
• fast click Idle Nodes (or other graph display options) can break UI
• Missing “KIA1106 More than one Virtual Service for same host” for cross-namespace cases
• Minigraph navigation broken
• “KIA1102 VirtualService is pointing to a non-existent gateway” shown only once.
• Wrong KIA1106 “More than one Virtual Service for same host”
• Number of regex.Compile() calls in multi_match_checker scales quadratically with hosts checked
• “Could not fetch services list” Error in Service view when selecting some namespaces
• Molecule “api-test” failure in graph generation on ossm 2.1
• Validations and TLS Endpoints Very Slow
• Reconciliation may fail when removing a namespace from a cluster immediately after removing it from spec.deployment.accessible_namespaces
• k8s service appProtocol is no reflected in config checks

1.44.0

Sprint Release: December 3rd, 2021

Features:

• Correct graph edge for Pod to Pod communication using destination_workload
• Make istiod ports configurable in kiali
• Support rootNamespace: administrative namespace for istio config
• Support rootNamespace in Peer Authentication validations
• Support rootNamespace in Sidecar validations
• access ingress_enabled for now to support older CRs
• Include an explanation about the lack of health information for TCP services (like a database)
• (operator) implement best practice guidelines to support multi-tenant installations
• Upgrade kubernetes/client-go version and update beta interfaces for workloads

Fixes:

• KIA1105: Virtual service routes may not point to any subset
• Possible memory leak in /api/istio/status endpoint
• Documentation doesn’t show how to configure Kiali

1.43.0

Sprint Release: November 12nd, 2021

Features:

• Allow Kiali Graphs to show EgressGateway traffic to ServiceEntry
• (Feature Request) Support mounting existing secret into Kiali Pod
• Calculate graph importance score
• Validations - Ensure ServiceEntry has WorkloadEntry addresses
• Support getting the root namespace from Istio configuration
• ingress created by Kiali CR does not include ingress class - need new deployment.ingress setting

Please note this introduces a backward-incompatible change. Users with the prior ingress settings defined in their Kiali CR will need to make an update. Other users are not affected. The previous ingress settings were:

deployment:
  ingress_enabled: <true|false>
  override_ingress_yaml:
    ...the override yaml here...

This has been changed to the following:

deployment:
  ingress:
    enabled: <true|false>
    override_yaml:
      ...the override yaml here...

• Update kiali.io docs to Kiali 1.36+
• Google OIDC allowed domains
• Include ServiceAccount info across console
• Add information about Istio overhead

Fixes:

• Workload Entry graph nodes display only “latest” version
• Kiali Documentation link from Master Head seems broken
• Crash in onCopy button in Envoy tab editors
• “More than one Gateway for the same host port combination” even with different ports
• Workload pod proxy logs shows details for Envoy app logging

1.42.0

Sprint Release: October 22nd, 2021

Features:

• Migrate to Docsy for kiali.io theme
• Add strong type mapping in Istio Kiali model
• Show mirroring info or badge on the graph
• Add a “Trendlines” option in the metrics tab
• Show gateway in istio config
• Add Sidecars on “Create Traffic Policies” namespace action
• Ability to pass custom headers to httputil.Post
• Add hostAliases field to kiali deployment manifests
• Kiali Istio dashboards incompatible with thanos-query

Fixes:

• URL parameters not persisted in inbound/outbound metric tabs
• Include Mesh Gateway in Create Traffic Routing - causes failure
• Potential Memory Leak in UI AuthenticationController
• More Sidecars on Configuration
• “missing span root” in graph side panel

1.41.0

Sprint Release: October 1st, 2021

Features:

• Add help for Graph shortcuts
• Add custom label aggregation in metrics tab
• Kiali Operator - Add ability to specify image SHA in Kiali CRs
• Improve discovery matcher process for Custom Dashboards
• Add SRE style metrics in the Overview namespace chart
• Be able to set the logging level for istio and envoy logs from Kiali UI
• Custom HTTP headers when connecting to Prometheus
• Display Envoy tab for workloads running Istio Proxy without Sidecar

Fixes:

• Workload page displays an error when accessing VirtualMachineInstance resource
• WorkloadEntry workload graph nodes have broken link
• Mesh internal ServiceEntry should be grouped in app box with workloads
• Error loading Graph - Namespace (kube-state-metrics) is excluded for Kiali
• Workloads flap between OK and Not Ready w/ Argo Rollout CR
• Unable to edit IstioConfig
• Kiali loading icon seems broken
• seg fault in IsMaistra status (found in Kiali v1.40.0)
• ansible option we use in operator code is being renamed

1.40.0

Sprint Release: September 10th, 2021

Features:

• Support exportTo validation in VirtualServices
• Add graph Factory Reset button
• Add help tooltip in the metrics tab
• Add info/tooltip on virtual service that doesn’t have a gateways section
• Support the new istio injection label
• Add indication if certificates are managed by Citadel or external tool
• Distinguish between VM based workloads and pod based workloads on the graph
• Identify and label WorkloadEntry graph nodes
• ci-kind-molecule-tests.sh should support installing OLM and testing with OLM-installed operator
• Docs and scripts regarding secrets and service accounts might need to be updated

Fixes:

• (validations) Don’t show KIA0203 when there are no VS referencing the DR subset
• Kiali Operator: Pods attempt to use auth secret when external service disabled
• Not able to build Molecule image
• Metrics charts can be too thin
• Some graph settings do not have query parms - can’t bookmark pages
• Workload’s page Actions dropdown is clickable in view_only_mode
• CRUD Permissions on events
• Kiali Login error when Prometheus fails to start

1.39.0

Sprint Release: August 20th, 2021

Features:

• generate metrics for validators
• (molecule) run molecule tests using a KinD cluster
• Remote cluster functionality should be configurable
• Update Kiali UI to latest Node.js LTS version
• Add a Molecule test to verify Grafana integration
• (operator) perform true “can_i” check to confirm the operator has correct permissions

Fixes:

• grafana-test fails - cannot look up grafana url successfully
• route created by operator doesn’t seem right
• Jaeger traces & spans fetching error

1.38

1.38.1

Mid-Sprint Release: August 6th, 2021

Fixes:

• Issues with clustering discovery
• Scripts not loading (404) on openid_error when Kiali is hosted in a subfolder (web_root: /kiali)
• Jaeger traces & spans fetching error
• helm-charts and istio addons doesn’t have default grafana in_cluster_url defined

1.38.0

Sprint Release: July 30th, 2021

Features:

• New badge/visualization for hostnames in Graph
• Enhanced logs viewing and correlation
• bump operator to newer minor-release of base image
• Add validation for “exportTo” fields of VirtualService, ServiceEntry
• Feature Request: Disable certain validations
• Display traffic scenario badges when present
• gRPC Streaming traffic
• Consider using tcp_received telemetry for graph generation
• community OLM metadata moving to new repos
• trivial case change to disconnected annotation value in operator metadata
• document the new dashboard annotations
• clean up upstream istio kiali addon install doc
• Display custom dashboards with more than two rows of graphs inside the card
• test custom dashboard overrides
• Use annotations to personalize CustomDashboards

Fixes:

• Scripts not loading (404) on openid_error when Kiali is hosted in a subfolder (web_root: /kiali)
• Issues with clustering discovery
• (operator) Playbook “create additional kiali labels…” fails due to unquoted string in label
• grafana links missing
• ERR GetAppTraces, Jaeger GRPC client error: rpc error: code = Unavailable desc = connection closed
• molecule tests need to wait for CRD to be established
• Add missing warning on VirtualService “exportTo” field
• Exposing workloads with ServiceEntries makes Kiali show non-existing Services
• Cannot fetch proxy status on Istio master (1.11)

1.37.0

Sprint Release: July 9th, 2021

Features:

• Support for custom istio injection labels and values
• Metrics page: select all/none filter
• Add Gateway/VirtualService hostnames in Service details
• Add gateway validation to VirtualServices
• Services list should show when a VirtualService/DestinationRule is applied
• Unify style attribute for config validation icons
• (multi-cluster) Enhance support for mesh deployment models
• Add help icon in Wizards
• Support for custom CA certificates in OpenID authentication

Fixes:

• The namespaces that begins with kube are hidden but those should be OK
• Repeated queries on CustomMetrics
• kiali Cannot load the graph “invalid character ’d' looking for beginning of value”
• Duplicated application container on Workload Logs tab
• Metrics Settings are kept but not applied when switching metrics tabs
• (perf) pr #3975 introduced perf regression for /api/namespaces/bookinfo/services/details/graph endpoint
• Tooltip span not available

1.36.0

Sprint Release: June 18th, 2021

Features:

• Connect Listeners and Routes in the Envoy Config modal
• remove istio_component_namespaces config
• Research Metrics tab main layout
• Display throughput on the graph edges
• Move Envoy Details to Workload Details
• Pod table should reflect any container crash
• Consolidate Dashboards CRDs into main Kiali config, also handled via Kiali Operator
• convert community OLM metadata to new bundle format
• Add to graph indicator for Kiali scenarios
• move the support for old versions to CRD v1 when appropriate
• Internal metrics revisit

Fixes:

• Difference between App and Workload healths - causing inconsistency in Overview
• Wrong Health info at Service level
• Trace graph tooltip truncates long hostnames
• Circuit Breaker Badge is missing in the Graph
• clean up hack/istio/bookinfo* resources
• Health popover disappearing
• (helm)(operator) do not use deprecated Ingress kind - update to latest apiVersion
• Graph replay health is not correct
• Molecule tests broken for podman 3
• Possible false positive reported as violating KIA0202
• horizontal scroll problem on graph side panel trace tab detail

2 - Security Bulletins

2.1 - KIALI-SECURITY-003 - Installation into ad-hoc namespaces

Description

• Disclosure date: May 11, 2021
• Affected Releases: prior to 1.33.0
• Impact Score: 6.6 - AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

A vulnerability was found in the Kiali Operator allowing installation of a specified image into any namespace.

Kiali users are exposed to this vulnerability if all the following conditions are met:

• Kiali operator is used for installation.
• Kiali CR was edited to install an image into an unapproved namespace.

This vulnerability is filed as CVE-2021-3495

Mitigation

If you can update:

• Update to Kiali Operator v1.33.0 or later.

If you can not update:

• Ensure only trusted individuals can create or edit a Kiali CRs (resources of kind “kiali”).

2.2 - KIALI-SECURITY-002 - Authentication bypass when using the OpenID login strategy

Description

• Disclosure date: March 5, 2021
• Affected Releases: 1.26.0, 1.26.1, 1.26.2, 1.27.0, 1.28.0, 1.28.1, 1.29.0, 1.29.1, 1.30.0
• Impact Score: 7.0 - AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:X/RC:C

A vulnerability was found in Kiali allowing an attacker to bypass the authentication mechanism. The vulnerability lets an attacker build forged credentials and use them to gain unauthorized access to Kiali.

Kiali users are exposed to this vulnerability if all the following conditions are met:

• Kiali is setup with the openid authentication strategy.
• As a result of configurations in both Kiali and your OpenID server, Kiali uses the implicit flow of the OpenID specification to negotiate authentication.
• Kiali is setup with RBAC turned off.

This vulnerability is filed as CVE-2021-20278

Mitigation

If you can update:

• Update to Kiali v1.31.0 or later.
• If you need an earlier version, only Kiali 1.26.3 and 1.29.2 are fixed.

If you are locked with an older version of Kiali, you have three options:

• Configure Kiali to use the authorization code flow of the OpenID specification; or
• Configure Kiali to use the implicit flow of the OpenID specification and enable RBAC; or
• Configure Kiali to use any of the other available authentication mechanisms.

2.3 - KIALI-SECURITY-001 - Authentication bypass using forged credentials

Description

• Disclosure date: March 25, 2020
• Affected Releases: 0.4.0 to 1.15.0
• Impact Score: 9.4 - AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

A vulnerability was found in Kiali allowing an attacker to bypass the authentication mechanism. Currently, Kiali has four authentication mechanisms: login, token, openshift and ldap. All are vulnerable.

The vulnerability lets an attacker build forged credentials and use them to gain unauthorized access to Kiali.

Additionally, it was found that Kiali credentials were not being validated properly. Depending on the authentication mechanism configured in Kiali, this could facilitate unauthorized access into Kiali with forged and/or invalid credentials.

These vulnerabilities are filed as CVE-2020-1762 and CVE-2020-1764

Detection

Use the following bash script to check if you are vulnerable:

KIALI_VERSION=$(kubectl get pods -n istio-system -l app=kiali -o yaml | sed -n 's/^.*image: .*:v\(.*\)$/\1/p' | sort -u)
kubectl get deploy kiali -n istio-system -o yaml | grep -q LOGIN_TOKEN_SIGNING_KEY
TEST_KEY_ENV=$?
kubectl get cm kiali -n istio-system -o yaml | grep signing_key | grep -vq kiali
TEST_KEY_CFG=$?
VERSION_ENTRIES=(${KIALI_VERSION//./ })
echo "Your Kiali version found: ${KIALI_VERSION}"
[ ${VERSION_ENTRIES[0]} -lt "1" ] || ([ ${VERSION_ENTRIES[0]} -eq "1" ] && (\
  [ ${VERSION_ENTRIES[1]} -lt "15" ] || ([ ${VERSION_ENTRIES[1]} -eq "15" ] && ( \
  [ ${VERSION_ENTRIES[2]} -le "0" ])))) && echo "Your Kiali version is vulnerable"
[ $TEST_KEY_ENV -eq 1 ] && [ $TEST_KEY_CFG -eq 1 ] && echo "Your Kiali configuration looks vulnerable"

The script output will be similar to this:

Your Kiali version found: 1.14.0
Your Kiali version is vulnerable
Your Kiali configuration looks vulnerable

Mitigation

• Update to Kiali 1.15.1 or later.

Alternatively, if you cannot update to version 1.15.1, mitigation is possible by setting a secure signing key when deploying Kiali. If you installed via Kiali operator, you could use the following bash script:

SIGN_KEY=$(chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; for i in {1..20}; do echo -n "${chars:RANDOM%${#chars}:1}"; done; echo)
kubectl get kiali -n $(kubectl get kiali --all-namespaces --no-headers -o custom-columns=NS:.metadata.namespace) -o yaml | sed "s/spec:/spec:\n    login_token:\n      signing_key: $SIGN_KEY/" | kubectl apply -f -

If you installed via Istio helm charts or istioctl command, you could use the following bash script:

KIALI_INSTALL_NAMESPACE=istio-system
SIGN_KEY=$(chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; for i in {1..20}; do echo -n "${chars:RANDOM%${#chars}:1}"; done; echo)
kubectl get cm kiali -n $KIALI_INSTALL_NAMESPACE -o yaml | sed "s/server:/login_token:\\n      signing_key: $SIGN_KEY\\n    server:/" | kubectl apply -f -
kubectl delete pod -l app=kiali -n $KIALI_INSTALL_NAMESPACE