Explore the UI
Use the Gloo UI to get an at-a-glance view of the configuration, health, and compliance status of your Gloo Gateway setup and the workloads in your cluster.
About the Gloo UI
- Gloo Gateway dashboard: Use the Gloo UI dashboard to quickly review the health of your Gloo Gateway setup, and any insights that were detected. If you use the Gloo UI in a multicluster setup, you can also review the health of the Gloo management server and agents.
- Insights: The Gloo UI comes with an insights engine that automatically analyzes your Gloo Gateway setup for health issues. These issues are shared in the UI along with recommendations to harden your Gloo Gateway setup. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment. For more information, see Insights.
- Traffic resource overview: Review the Gateways, routes, policies, and destinations that are set up in your environment and the traffic management rules that you applied to them.
- Security and compliance: The Dashboard and Security Insights pages of the Gloo UI can help you review the overall security posture of your setup, including insights and recommendations regarding your certificates, encrypted traffic, FIPS compliance, and more.
- Drill into apps and services: Review what services can communicate with other services and how traffic between services is secured.
- Visualize and monitor metrics: With the built-in Prometheus integration, the Gloo UI has access to workload-specific metrics, such as the number of requests that were received for a workload. This data is visualized in the Gloo UI graph.
Before you begin
Follow the steps to Set up the Gloo UI.
Launch the UI
- Port-forward the Gloo UI pod.
kubectl port-forward deployment/gloo-mesh-ui -n gloo-system 8090 - Open the Gloo UI dashboard.
open http://localhost:8090/dashboard
Home
View the health and performance of your Gloo Gateway components, and view recommendations to harden your setup by using the Dashboard and Insights pages.
Dashboard
The Gloo UI dashboard provides an at-a-glance overview of your Gloo Gateway setup, including insights, request rates, failures, and latency, and the health of Gloo Gateway components.
Insights
When you install the Gloo UI, it comes with an insights engine that automatically analyzes your Gloo Gateway setup for health issues. These issues are displayed in the UI along with recommendations to harden and improve your setups’ efficiency, security, and configuration. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment. For an overview of available insights, see Insights.
Inventory
The Inventory section provides an at-a-glance look at the health of registered clusters and discovered services that make up your Gloo Gateway environment.
Clusters
On the Clusters page, review details of the cluster where Gloo Gateway is installed, such as insights, the health of the Gloo Gateway control and data planes, relay certificate information (in multicluster setups only), and applied routes, gateways, destinations, and policies.
Single cluster: In a single-cluster setup, you can review the details of the cluster where you deployed Gloo Gateway.
Multicluster: In a multicluster setup, you can review the details of each cluster that you registered with the Gloo management plane.
To filter clusters by the cluster’s installation health, click the Healthy and Unhealthy buttons. You can also use the Sort by Name dropdown or the search bar to filter clusters by name.
Figure: Clusters page Figure: Clusters page Click More Details to see a more detailed dashboard for the cluster. This dashboard can help you find errors in your Gloo and Istio setups. Note that if you run multiple versions of Istio within the same cluster, you can click each version in the Version tab to see its details.
Figure: Cluster details page Figure: Cluster details page
Global services
If you have a multicluster ambient or sidecar mesh setup, and made services available across clusters, the Global Services page lists the global service hostnames that are available for those services. For example, the following image shows the productpage.bookinfo.mesh.internal global hostname for the productpage service, which has services instances in two clusters of the multicluster setup.
Traffic
The Traffic section provides an overview of deployed Gateways, routes, policies, and destinations.
Gateways
On the Gateways page, you can view the YAML configuration of gateway-related resources, such as GatewayClass, Gateway, and GatewayParameters .
To filter the list of resources, you can choose between the following options:
- Use the Search bar to find a resource by name, namespace, or other properties
- Use the Filter menu to filter by:
- Status: Filter between healthy and unhealthy resources.
- Type: Display the resource types that you are interested in.
- Label: Filter resources by label key and value.
Routes
On the Routes page, you can view the HTTPRoute and TCPRoute resources (Kubernetes Gateway API) that you created in your cluster.
To filter the list of resources, you can choose between the following options:
- Use the Search bar to find a resource by name, namespace, or other properties
- Use the Filter menu to filter by:
- Status: Filter between healthy and unhealthy resources.
- Type: Display the resource types that you are interested in.
- Label: Filter resources by label key and value.
From the Details page of a route:
- To debug the route, click View YAML to view the route’s YAML configuration.
- Find the hostnames that the route matches on in the Hostnames card.
- Find the gateway that serves this route in the Gateways card.
- View the matchers that the route defines, its backing destinations, and any filters that you applied to the route in the Rule card.
Policies
On the Policies page, you can view any policies that you applied in your environment, such as RouteOption, VirtualHostOption, ListenerOption, HttpListenerOptions, AuthConfigs, and RatelimitConfig. To view the policy configuration, you can click YAML.
To filter the list of resources, you can choose between the following options:
- Use the Search bar to find a resource by name, namespace, or other properties
- Use the Filter menu to filter by:
- Status: Filter between healthy and unhealthy resources.
- Type: Display the resource types that you are interested in.
- Label: Filter resources by label key and value.
Destinations
On the Destination page, review a list of discovered destinations, such as Kubernetes services and Gloo Gateway Upstreams.
To filter the list of resources, you can choose between the following options:
- Use the Search bar to find a resource by name, namespace, or other properties
- Use the Filter menu to filter by:
- Status: Filter between healthy and unhealthy resources.
- Type: Display the resource types that you are interested in.
- Label: Filter resources by label key and value.
From the Details page of a destination:
- To debug the service, click View YAML to view the destination’s YAML configuration.
- See an analysis of the service’s error rate and latency in the Service Signals card.
- View the Graph tab to visualize the network traffic that reaches your destination. For more information about how to use the graph, see Graph.
Security
Security insights
The Dashboard and Security Insights pages of the Gloo UI can help you review the overall security posture of your Istio setup, including insights and recommendations regarding your certificates, encrypted traffic, FIPS compliance, and more.
The Security insights page is used in multicluster setups only. In single cluster setups, this section remains empty.
Certificates
View a list of all Istio and relay certificates in your environment. This list provides the Filter by expiration… dropdown to filter certificates by validity status, and the Filter by type… dropdown to filter certificates by type, such as Istio root or intermediate.
The Certificates page is used in multicluster setups only. In single cluster setups, this section remains empty.
To view the details of a certificate, such as the issue details, total validity period, and fingerprints, click the certificate name. On the certificate details page, you can review general information, such as the common name and organization the certificate is issued to, and check the validity period and fingerprints of the certificate.
Observability
The Gloo UI consumes telemetry data from Prometheus and Jaeger and visualizes this data in the Observability section.
Graph
The Gloo UI includes a Graph page to visualize the network traffic that reaches the services in your cluster.
Note that in version 2.7 and later, the new Graph experience is displayed by default. To switch back to the original Graph, click View the original Graph experience.
Filters
Default Graph:
In the Search bar, filter the services that you want to see in the graph. You can choose to include or hide those services.
From the Cluster and Namespace dropdown, select the cluster and namespace for which you want to visualize traffic.
- Use the
+and-buttons to zoom in and out of the graph. - Use the arrow button to center and fit the graph to the canvas size. This action might be helpful if you rearranged the nodes and zoomed in.
- Use the lock button to lock the current viewpoint. You cannot move any of the boxes or arrows if the lock is enabled.
- Use the expanded arrows button to open a full-screen view of the graph. You can press escape to exit the full-screen view.
- Use the grid button to reset the layout.
Original Graph experience:
In the Search bar, filter the services that you want to see in the graph. You can choose to include or hide those services.
From the Traffic dropdown, select the range of time that you want the graph to show, such as traffic from the last 15 minutes.
From the Refresh dropdown, select how often you want the graph to refresh the data, such as every 5 seconds. You can also refresh on demand by clicking REFRESH.
After the header toolbar, you can filter what the graph shows by namespace and cluster. Filters work like the logical operator AND, so results must meet all the criteria. For example, if you filter by bookinfo namespace and cluster1, then the graph shows services that meet all these criteria.
Toggle Errors Only to see services that experienced traffic errors during the traffic time range you selected from the header toolbar.
Within the graph views, you can navigate by clicking and dragging whitespace within the main canvas, or by using the navigation arrow buttons, as shown in the following figure.
After the header toolbar, filter, and main canvas, you can choose more viewing options in the footer toolbar.
| # | Icon name | Description |
|---|---|---|
| 1 | Fullscreen | Click to expand your browser to fullscreen. Click again or enter ESC to return to the normal screen size. |
| 2 | Zoom in and out | Zoom in or out on the main view’s canvas. Depending on your mouse settings, you can also scroll to zoom in and out. |
| 3 | Reset | If you moved the position of nodes on the graph, reset the nodes to their original positions. |
| 4 | Fit to canvas | Click to center and fit the content of the current view to the canvas size. This action might be helpful if you rearranged the nodes and zoomed in. |
| 5 | Networking graph views | Click one of the networking graph views to change how the nodes are displayed in the main canvas. For more information, see Networking views. |
| 6 | View legend | Open the graph legend. For more information, see Legend. |
| 7 | Layout settings | Open the graph layout settings. For more information, see Layout settings. |
Layout settings
Click the settings icon to view the layout settings for the graph.
From the footer toolbar, click Layout Settings. Toggle on or off the following settings.
General:
- Animations: Animate edges with a speed proportional to the requests per second.
- Mutual TLS: If you use an Istio service mesh alongside your Gloo Gateway installation, toggle the lock icons along paths between node that are mTLS encrypted.
- TCP: Review TCP traffic.
Node types displayed:
Nodes represent the application “nodes” of the graph. (Note that nodes represent your apps, not Kubernetes compute nodes.) You can toggle on and off views for the following nodes:
- Kubernetes services
- External services
- Gateways
Node status displayed:Toggle on or off idle nodes, which are nodes that do not receive traffic.
Legend
Click on the eye icon to view the Graph legend.
Kubernetes Services and External Services describe the icons that are used for the application “nodes” of the graph. For example, a node might be a Kubernetes service, such as a gateway proxy, mesh workload, or waypoint proxy, or an external service, such as a virtual machine (VM), external workload, or Lambda function.
Node States, L7 Edges, and L4 Edges show whether a service’s traffic behaves normally or not, as indicated by a color or icon.
Node States:
| Node color | State | Description |
|---|---|---|
| Blue | Healthy | The node is operative, and sends and responds to traffic as expected. |
| Orange | Warning | The node has some sort of degraded status or operation. |
| Gray | Idle | The node does not yet accept or send traffic. For example, the deployment might be pending. |
| Red | Error | The node has some sort of failure. |
L7 Edges:
| Dashed line color or icon | State | Description |
|---|---|---|
| Green | Healthy | Traffic is flowing between the nodes as expected, in the direction indicated. |
| Yellow | Warning | Traffic is degraded in some way. For example, a policy might be applied to a route that rate limits traffic to a service. Most of the requests are successful, but some are not. |
| Gray | Idle | The traffic connection is established, but requests are not yet sent or received along the connection. |
| Red | Error | Traffic is failing. For example, a policy might be applied to a route that blocks traffic to a service. |
| Black lock icon | mTLS applied | Service isolation is enabled for the traffic, with communication secured via mTLS. |
L4 Edges:
| Solid line color or icon | State | Description |
|---|---|---|
| Blue | Active | Traffic is flowing between the nodes as expected, in the direction indicated. |
| Gray | Idle | The traffic connection is established, but requests are not yet sent or received along the connection. |
| Black lock icon | mTLS applied | Service isolation is enabled for the traffic, with communication secured via mTLS. |
From the footer toolbar, click Show Legend.
Node Types describes the icons that are used for the application “nodes” of the graph. For example, a node might be a Kubernetes service, such as a gateway proxy, mesh workload, or waypoint proxy, or an external service, such as a virtual machine (VM), external workload, or Lambda function.
Node States and Edges show whether a service’s traffic behaves normally or not, as indicated by a color or icon.
| Color or icon | State | Description |
|---|---|---|
| Blue | Normal | The node sends and responds to traffic as expected. |
| Red | Danger | The node has some sort of failure. For example, a policy might be applied to a route that blocks traffic to a service. |
| Yellow | Warn | The node has some sort of degraded traffic. For example, a policy might be applied to a route that rate limits traffic to a service. Most of the requests are successful, but some are not. |
| Gray | Idle | The node does not yet accept or send traffic. For example, the deployment might be pending. |
| Dashed, black line | L7 | The traffic between nodes is sent over Layer 7 (application). For this traffic, you can apply L7 HTTP/HTTPS policies that are supported in Gloo Mesh (Gloo Platform APIs), Gloo Mesh Gateway, and Gloo Gateway only. |
| Solid, navy or gray line | L4 | The traffic between nodes is sent over Layer 4 (transport). |
| Colorful triangles | Failure, Healthy, Degraded, or Idle | The connection is in a state of failure, healthy, degraded, or idle, depending on the color. Try describing the resources in your cluster to troubleshoot further. |
| Blue lock icon | mTLS applied | Service isolation is enabled for the traffic, with communication secured via mTLS. You can change service isolation settings via an access policy for a specific destination, or for the entire workspace via the workspace settings. |
| Istio icon | Enforced by Istio | The traffic connection is enforced by Istio. |