search

kiali / kiali

Kiali project, observability for the Istio service mesh
https://www.kiali.io
Apache License 2.0
3.38k stars 478 forks source link

Discovery selectors use case #7751

Open josunect opened 2 days ago

josunect commented 2 days ago

What do you want to improve?

The Kiali behavior when the discovery selectors doesn't include a namespace that is part of the mesh?

For example:

service mesh has namespaces A, B, C, istio-system.
I want Kiali instance X to only see A, istio-system.
I want Kiali instance Y to only see B, istio-system.
I want Kiali instance Z to only see C, istio-system.

What is the current behavior?

In this example, bookinfo is part of the Mesh, but discovery selectors are not finding the namespace: 

deployment:
  discovery_selectors:
    default:
    - matchLabels:
        abc: def
        uvw: xyz
  view_only_mode: false
  cluster_wide_access: true

image

image

What is the new behavior?

I think both views should be consistent, if user is able to see the bookinfo namespace in the Mesh view, probably also in the Overview, and not throwing an error.

jmazzitelli commented 2 days ago

Ultimately, it comes down to this (we should come to a consensus for the answer to this question):

What should the Kiali UI display if a namespace is part of the mesh but that namespace does not match a discovery selector?

I was under the assumption the answer to that question is "Nothing". If a namespace doesn't match a discovery selector, it should look as if the namespace doesn't even exist. Nowhere in the Kiali UI should it be showing a namespace that doesn't match a discovery selector.

Is that how it really should be? Or are there edge cases where we still want to show the namespace (like here in that Mesh page)? I don't know the answer. Without thinking about it deeply, my guess is that my original assumption is correct - we should not show a namespace anywhere in the UI if it doesn't match a discovery selector. I'm curious to hear what other people think.

(BTW: ignore the control plane namespace (e.g. "istio-system") and the Kiali deployment namespace - those are always shown whether they have a discovery selector or not)

nrfox commented 2 days ago

IMO this is a bug. If the namespace is excluded from the discovery selectors, why is it then shown on the mesh page? You'll end up with weird behavior like the screenshot above. Maybe we can somehow signal to the user that discovery selectors might be filtering the namespaces they are seeing on the mesh page though?

jmazzitelli commented 2 days ago

why is it then shown on the mesh page?

My thought was this Mesh page's "Data Plane" view is supposed to be showing what Istio sees as its "data plane" -- the "data plane" of the service mesh include all namespaces in the mesh, which could be namespaces that Kiali, itself, does not know about via its discovery selectors.

So - Mesh page "Data Plane" - is this one of those edge cases where we want to show all namespaces even if they don't match Kiali discovery selectors?

OR.. in our Mesh page.. does the "Data Plane" refer to only those namespaces that Kiali knows about? In which case, @nrfox suggestion seems the right thing to do: Maybe we can somehow signal to the user that discovery selectors might be filtering the namespaces they are seeing on the mesh page though?

nrfox commented 2 days ago

My thought was this Mesh page's "Data Plane" view is supposed to be showing what Istio sees as its "data plane" -- the "data plane" of the service mesh include all namespaces in the mesh, which could be namespaces that Kiali, itself, does not know about via its discovery selectors.

Well yes. If you ignore the word "Data Plane", the mesh page is just showing which namespaces are managed by that controlplane i.e. which namespaces have a istio.io/rev or a istio-injection: enabled label. I still don't think it makes sense to show anywhere namespaces that aren't selected by Kiali's discovery selectors. It defeats the purpose.

jmazzitelli commented 2 days ago

I still don't think it makes sense to show anywhere namespaces that aren't selected by Kiali's discovery selectors. It defeats the purpose.

Yup. That was my original thought, too. I'm OK with that. If that's the consensus view, then what @josunect reported is a bug that we need to fix.

jshaughn commented 2 days ago

I definitely agree that the current behavior is a bug, we should never get an error like that. And I agree that no non-MeshPage should ever see a namespace that is outside of the defined Kiali Discovery Selectors. But in this scenario I'm not 100% sure we should omit bookinfo in the Mesh page. If we could just marked it as inaccessible, not show anything other than the name (and maybe our standard icon), it may be valuable. We frequently take that approach in the graph. We will still show a namespace that is inaccessible, because there is traffic coming in, or going out to it.