Kiali working with no Istiod access

[josunect]

Proposal as a first version to have Kiali running with no Istiod.

Details in: https://docs.google.com/document/d/1XjkodS5Uu14C_1l3-j7iNaWfLufQFycY-cKMlagIxyc

Changes:

• Not perform some calls if there is no access to istiod. They were making the system really slow (When istiod was not available):
  • get pod proxy status for workloads
  • Get registry services for services
  • Fetch registry services
• Istio Config: Show a message indicating that Istiod is not available

Some tests to review performance: Frontend tests were showing a degraded performance so a new commit was sent to internally cache the istioAccess value

• How this could be tested
• Documentation PR: New section kiali working with no istiod kiali.io#613
• Operator PR: Add new configuration option istio_api_enabled kiali-operator#595

Fixes #5626

[Xunzhuo]

Great! If you want some reviews, ping me after this is ready! @josunect

[josunect]

Great! If you want some reviews, ping me after this is ready! @josunect

Thanks, @Xunzhuo ! It would be great! I'll let you know.

[josunect]

Changes when istiod is not available:

Istio no available messages

This remains the same. Should we change it to just a warning instead of error?

Service mesh version unknown

Workload status warning because no proxy pod sync

Istio Config not available

Show a message instead

No error requests
There are no error or time out requests.

Running locally with no istiod
I had to add some code in kubernetes/token to run in local environment. But not sure yet what would be the best solution to not have to modify the code all the time.

Probably it would require some more testing but I think it is ready for feedback and reviews

[nrfox]

Thanks for picking up this investigation!

[nrfox]

I think this would be better as a config option for the registry where you can enable/disable the registry altogether if you'd like rather than having it just be a fallback option: https://github.com/kiali/kiali/blob/master/config/config.go#L208.

@hhovsepy may be looking into this but you should be able to get the istio config from the kube api rather than the registry when there's no istiod access.

What will be the impact on the controlplane namespace card once there is no direct istiod access? It might still be possible to get some details, like controlplane revision, about the controlplane from the injection webhook since this may be present in the cluster even if the controlplane is not.

[jshaughn]

Funny, I was just looking at the same thing. I also think it makes sense to configure Kiali for this scenario. By default Kiali would expect to be able to connect to istiod's debug endpoint and proceed normally. If it can't connect then that would be a FAILURE scenario for the control plane card. If configured to ignore istiod then it would be a DEGRADED scenario for the control plane card (even if it is accessible we won't connect, this could be for performance reasons, or whatever).

[hhovsepy]

draft solution of retrieving configs when istiod is not available #5649

[josunect]

draft solution of retrieving configs when istiod is not available #5649

Thanks, @hhovsepy !

[jshaughn]

Good progress @josunect , I think I agree with @nrfox about making this a more explicit configuration option for Kiali (see comments). What do you think?

[josunect]

Good progress @josunect , I think I agree with @nrfox about making this a more explicit configuration option for Kiali (see comments). What do you think?

Thanks, @jshaughn and @nrfox for the review! I'll approach the changes and submit.

I've though in do it this way as it can be more robust in the sense that it can work even if Istiod is or is not available, but it is true that it is not possible to know the reason, can be intentional or not - a failure. So it make sense to do it more explicit as part of the configuration.

[josunect]

I've also added the following change:

View for CP card if Istio API is disabled:

And enabled:

[Xunzhuo]

I have reviewed the backend codes, did not find any issues. LGTM. Wait for other reviews in front part :)

[josunect]

I have reviewed the backend codes, did not find any issues. LGTM. Wait for other reviews in front part :)

Thank you, @Xunzhuo !

[hhovsepy]

Is it supposed, that the case when 'istiod' is not running/accessible and the config "istio_api_enabled: true" will be handled? Because it throws "open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory" error message while selecting "istiod" workload.

[josunect]

Is it supposed, that the case when 'istiod' is not running/accessible and the config "istio_api_enabled: true" will be handled? Because it throws "open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory" error message while selecting "istiod" workload.

In that case, it won't be handled - That should be the default behavior. But, I will reproduce it.

[hhovsepy]

Facing a different behavior on OCP cluster, gateway timeouts on all requests:

Many errors in Kiali pod log:
1202 12:56:50.277723 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:istio-system:kiali-service-account" cannot list resource "pods" in API group "" at the cluster scope E1202 12:56:50.277759 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:istio-system:kiali-service-account" cannot list resource "pods" in API group "" at the cluster scope W1202 12:56:51.683977 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: failed to list *v1beta1.AuthorizationPolicy: authorizationpolicies.security.istio.io is forbidden: User "system:serviceaccount:istio-system:kiali-service-account" cannot list resource "authorizationpolicies" in API group "security.istio.io" at the cluster scope

[jmazzitelli]

Many errors in Kiali pod log: `1202 12:56:50.277723 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:istio-system:kiali-service-account" cannot list resource "pods" in API group "" at the cluster scope

@hhovsepy What is your deployment.accessible_namespaces set to? Is it ['**'] or a list of namespaces?

That error message says it wants permission to list pods AT THE CLUSTER SCOPE. Which means it expects (for some reason) a ClusterRole. The Kiali SA only gets bound to a ClusterRole when accessible_namespaces is set to ['**']. Otherwise, there are just Roles for each namespace listed in accessible_namespaces.

We never before required ClusterRole access to look at pods. So this error message seems strange. We should avoid this requirement if possible.

[hhovsepy]

When setting accessible_namespaces: [ "**" ], Kiali pod fails to get ready, but this is not PR related:
W1202 17:07:02.688572 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: failed to list *v1.Deployment: deployments.apps is forbidden: User "system:serviceaccount:istio-system:kiali-service-account" cannot list resource "deployments" in API group "apps" at the cluster scope E1202 17:07:02.688614 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: Failed to watch *v1.Deployment: failed to list *v1.Deployment: deployments.apps is forbidden: User "system:serviceaccount:istio-system:kiali-service-account" cannot list resource "deployments" in API group "apps" at the cluster scope W1202 17:07:03.229890 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:istio-system:kiali-service-account" cannot list resource "statefulsets" in API group "apps" at the cluster scope E1202 17:07:03.229935 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: Failed to watch *v1.StatefulSet: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:istio-system:kiali-service-account" cannot list resource "statefulsets" in API group "apps" at the cluster scope

[josunect]

It will need to test further after the merge. I see some errors like:

2023-01-10T15:01:54Z WRN Error getting proxy status from istiod. Proxy status may be stale. Err: unable to proxy Istiod pods. Make sure your Kubernetes API server has access to the Istio control plane through 8080 port

2023-01-10T15:03:54Z ERR Failed to call Istiod endpoint /debug/syncz error: unable to proxy Istiod pods. Make sure your Kubernetes API server has access to the Istio control plane through 8080 port

[nrfox]

LGTM