Review insights
Use the Gloo UI to evaluate the health and efficiency of your Gloo Gateway environment.
When you install the Gloo UI, it comes with an insights engine that automatically analyzes your Gloo Gateway setup for health issues. These issues are displayed in the UI along with recommendations to harden and improve your setups’ efficiency, security, and configuration. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment.
Launch the Gloo UI
To review the Gloo Gateway analysis of and insights for your setup, launch the Gloo UI.
Port-forward the Gloo UI pod.
kubectl port-forward deployment/gloo-mesh-ui -n gloo-system 8090Open the Gloo UI dashboard.
open http://localhost:8090/dashboardReview your Dashboard. The dashboard shows an at-a-glance overview of your Gloo Gateway environment, including any service mesh installations.
Figure: Gloo UI dashboard Figure: Gloo UI dashboard
Review installation health and insights
Learn how to view and resolve insights in your Gloo Gateway environment.
View all insights
On the Insights page, you can view recommendations to harden your Gloo Gateway, and if applicable, Istio setups, and steps to implement them in your environment. Gloo Gateway analyzes your setup, and returns individual insights that contain information about errors and warnings in your environment, best practices you can use to improve your configuration and security, and more.
In the list of all insights, each insight has the following attributes:
- Level: The severity level of the insight.
- Info: Informational reports, such as summaries of the current state of resources, or best practice recommendations, such as steps you can take to conform to Istio standards.
- Warning: Potential issues that might affect the functionality of your setup.
- Error: Issues that currently affect the functionality of your setup, and must be resolved.
- Resource: The name, namespace, and cluster of the resource that the insight refers to. For example,
argocd-vs.argocd.mgmtrefers to the virtual service namedarcgocd-vsin thearcgocdnamespace of yourmgmtcluster. - Summary: A short description of the insight.
- Category: The type of the insight.
- Best Practice: Best practice recommendations, such as scoping resources to namespaces.
- Configuration: Configuration of Gloo Gateway and Istio resources, such as validation checks or recommended fields.
- Health: Health checks and status updates for components of your Gloo Gateway, and if applicable, Istio installations.
- Security: If installed, security of your service mesh setups, such as recommended steps to harden your Istio certificate setup.
You can optionally use the filters to view insights by severity level or category, and the Search by cluster dropdown to filter insights by particular clusters.
You can also get a list of your current insights in the CLI by running the following command. In a multicluster setup, run this command in the management cluster.
kubectl -n gloo-mesh debug -q -i ${pod} --image=curlimages/curl -- curl -s "http://localhost:9090/api/v1/query?query=solo_io_insights" | jq -r '.data.result[].metric.code'
Resolve insights
Click on the insight that you want to resolve to find resolution steps.
- Summary: The summary tab shows more data about the insight, such as the time when it was last observed in your environment, and details about configuration fields that might need attention. This example insight warns that a virtual service is exported to all namespaces, which is not recommended for security reasons.
- Target YAML: If applicable, the YAML shows the resource file that the insight references, such as a virtual service or gateway.
- Resolution Steps: If applicable, the resolution tab provides steps that you can take to resolve the insight. For example, you might follow the steps to change specific settings in your resources.
Review in-mesh services
This section of the dashboard is populated only if you deploy a service mesh to your Gloo Gateway environment, and include your Solo distribution of Istio license key in the glooMeshCoreLicenseKey field of the Gloo UI Helm values. For more information, check out the guides to deploy Gloo Gateway as an ingress gateway to a sidecar mesh or ambient mesh.
The Cluster Services card of the dashboard visualizes the number of total services across all clusters in your Gloo Gateway setup, and whether those services are in your Istio service mesh or not. For example, if you deploy workloads to a namespace that is not labeled for automatic Istio sidecar injection or for the ambient dataplane mode, the services are not managed by Istio and are counted in the number of “Out of Mesh” services.
Additionally, for services in the mesh, the card visualizes which services are included in a sidecar-based mesh, and which services are included in an ambient mesh.
For more details about the discovered services, click Details, which opens the list of services in the Traffic > Destinations page.
Review your Istio security posture
This section of the dashboard is populated only if you deploy a service mesh to your Gloo Gateway environment, and include your Solo distribution of Istio license key in the glooMeshCoreLicenseKey field of the Gloo UI Helm values. For more information, check out the guides to deploy Gloo Gateway as an ingress gateway to a sidecar mesh or ambient mesh.
The Dashboard and Security Insights pages of the Gloo UI can help you review the overall security posture of your Istio setup, including insights and recommendations regarding your certificates, encrypted traffic, FIPS compliance, and more.
Check certificates
The Certificate card of the dashboard visualizes your Istio root and intermediate certificates, and how much time you have before they expire. You can see how long your certificates are valid for in the timeline bar. For example, if your certificates are in the blue section of the timeline, the certificates are valid and no action is required. If your certificates are in the yellow section, you can begin the renewal process. If your certificates are in the red section, your certificates are expired, and must be renewed.
To view a list of all certificates for your Istio setup, you can click the See all button, or go to the Security > Certificates page. This list provides the Filter by expiration… dropdown to filter insights by validity status, and the Filter by type… dropdown to filter certificates by type, such as root or intermediate.
To view the details of a certificate, such as the issue details, total validity period, and fingerprints, click the certificate name.
Review FIPS compliance
The Istio FIPS card of the dashboard confirms whether the images that you use for your Istio control plane are FIPS compliant, and whether the workloads in your data plane are managed by a FIPS-complaint Istio control plane.
For example, if your environment runs workloads that require federal information processing compliance, you can use Solo distributions of Istio that are specially built to comply with NIST FIPS. When you use a Solo distribution of Istio tagged with -fips, your istiod control plane becomes FIPS compliant. Then, when you update workloads in your service mesh to be managed by this istiod control plane, your workloads are also counted as FIPS complaint.
For more information on FIPS compliance, see Supported Istio versions in the Solo Enterprise for Istio docs.
Verify zero trust
The Zero Trust card of the dashboard summarizes the security posture of traffic to and from your in-mesh services.
For example, if you configure your Istio workloads to use the PERMISSIVE mutual TLS (mTLS) mode, only a low number of workloads might receive mTLS-encrypted traffic requests. If you later add proxy sidecars to more of your services to include them in the mesh, and switch the mTLS mode to STRICT, the number of services receiving encrypted traffic increases significantly.
Disable insights
As you resolve insights in your environment, you might want to ignore or remove some insights instead of resolving them. For example, an insight that gives a warning for production usage might not be relevant when you try out a new feature in a sandbox Istio environment.
To disable an insight and remove it from your insights list in the Gloo UI:
Open the Gloo UI. The Gloo UI is served from the
gloo-mesh-uiservice on port 8090. You can connect by using themeshctlorkubectlCLIs.- meshctl: For more information, see the CLI documentation.
meshctl dashboard - kubectl:
- Port-forward the
gloo-mesh-uiservice on 8090.kubectl port-forward -n gloo-mesh svc/gloo-mesh-ui 8090:8090 - Open your browser and connect to http://localhost:8090.
- Port-forward the
- meshctl: For more information, see the CLI documentation.
- From the left-hand navigation, click Home > Insights.
- Find the insight’s code by clicking the insight’s name, and in the Summary look for the Code.
- Include the insight’s code in an
InsightsConfigresource. For example, the following resource disables theCFG0002andCFG0003insights.kubectl apply -f - << EOF apiVersion: admin.gloo.solo.io/v2alpha1 kind: InsightsConfig metadata: name: insights-config namespace: gloo-mesh spec: disabledInsights: - CFG0002 - CFG0003 EOF