Gloo Mesh Core comes with an insights engine that automatically analyzes your Istio setup for health issues. Then, Gloo shares these issues along with recommendations to harden your Istio setup. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment.

Launch the Gloo UI

To review the Gloo Mesh Core analysis of and insights for your service mesh, launch the Gloo UI.

  1. Open the Gloo UI. The Gloo UI is served from the gloo-mesh-ui service on port 8090. You can connect by using the meshctl or kubectl CLIs.

    • meshctl: For more information, see the CLI documentation.
        meshctl dashboard
    • kubectl:
      1. Port-forward the gloo-mesh-ui service on 8090.
          kubectl port-forward -n gloo-mesh svc/gloo-mesh-ui 8090:8090
      2. Open your browser and connect to http://localhost:8090.
  2. Review your Dashboard. The dashboard shows an at-a-glance overview of your Istio service mesh.


Figure: Gloo UI dashboard

Review Istio health and insights

On the Analysis and Insights card of the dashboard, you can quickly see a summary of the insights for your environment, including how many insights are available at each severity level, and what type of insights are available. To view the list of insights, you can click the Details buttons, or go to the Insights page.

Figure: Insights and analysis card

View all insights

On the Insights page, you can view recommendations to harden your Istio setup and steps to implement them in your environment. Gloo Mesh Core analyzes your Istio service meshes, and returns individual insights that contain information about errors and warnings in your environment, best practices you can use to improve your configuration and security, and more.

Figure: Insights page

In the list of all insights, each insight has the following attributes:

  • Level: The severity level of the insight.
    • Info: Informational reports, such as summaries of the current state of resources, or best practice recommendations, such as steps you can take to conform to Istio standards.
    • Warning: Potential issues that might affect the functionality of your setup.
    • Error: Issues that currently affect the functionality of your setup, and must be resolved.
  • Category: The type of the insight.
    • Best Practice: Best practice recommendations, such as scoping resources to namespaces.
    • Configuration: Configuration of Istio resources, such as validation checks or recommended fields.
    • Health: Health checks and status updates for components of your Istio installation.
    • Security: Security of your service mesh setup, such as recommended steps to harden your Istio certificate setup.
  • Summary: A short description of the insight.
  • Resource Name: The name, namespace, and cluster of the Istio resource that the insight refers to. For example, argocd-vs.argocd.mgmt refers to the virtual service named arcgocd-vs in the arcgocd namespace of your mgmt cluster.

You can optionally use the Filter by… dropdowns to filter insights by category or severity level, and the Search by cluster dropdown to filter insights by particular clusters.

Resolve insights

For detailed information about how to resolve each insight, click Details.

Figure: Example insight

  • Summary: The summary tab shows more data about the insight, such as the time when it was last observed in your environment, and details about configuration fields that might need attention. This example insight warns that a virtual service is exported to all namespaces, which is not recommended for security reasons.
  • Target YAML: If applicable, the YAML shows the resource file that the insight references, such as a virtual service or gateway.
  • View Resolution Steps: If applicable, the resolution tab provides steps that you can take to resolve the insight. For example, you might follow the steps to change specific settings in your Istio custom resources. Or, for further functionality and benefits, you might consider upgrading to other Solo products, such as Gloo Mesh Enterprise.

Check overall Istio health

The Istio and Gloo health card of the dashboard provides a check of the Gloo Mesh Core and Istio installations in your clusters.

Istio: The Istio tab provides an at-a-glance status of the health of your Istio components. You can click the link button beside each component to see more details about its health. The environment check shows all versions of Istio that are installed in your environment, and the state of each installation. In this example, one version of community Istio, 1.19.3, and one version of Solo Istio, 1.18.3-solo, are installed in your environment. One warning is reported for one of the installations. You can hover over the warning icon to see more information, such as the reported Istio vulnerability for 1.18.3.

Gloo: The Gloo tab provides an at-a-glance status of the health of each Gloo Mesh Core component. You can click the link button beside each component to see more details about its health. The environment check shows all versions of Gloo Mesh Core that are installed in your environment, the state of each installation, and the number of clusters in your environment.


Review in-mesh services

The Cluster Services card of the dashboard visualizes the number of total services across all clusters in your Gloo Mesh Core setup, and whether those services are in your Istio service mesh or not. For example, if you deploy workloads to a namespace that is not labeled for automatic Istio sidecar injection, the services are not managed by Istio and are counted in the number of “Out of Mesh” services.

Additionally, for services in the mesh, the card visualizes which services are included in a sidecar-based mesh, and which services are included in an ambient mesh.

For more details about the discovered services, click Details, which opens the list of services in the Inventory > Services page.

Figure: Cluster Services card

Review your security posture

The Dashboard and Security Insights pages of the Gloo UI can help you review the overall security posture of your Istio setup, including insights and recommendations regarding your certificates, encrypted traffic, FIPS compliance, and more.

Check certificates

The Certificate Expiry card of the dashboard visualizes your Istio root and intermediate certificates, and how much time you have before they expire. You can see how long your certificates are valid for in the timeline bar. For example, if your certificates are in the blue section of the timeline, the certificates are valid and no action is required. If your certificates are in the yellow section, you can begin the renewal process. If your certificates are in the red section, your certificates are expired, and must be renewed.

Figure: Certificates Expiry card

To view the details of a certificate, such as the issue details, total validity period, and fingerprints, hover over the circle on the timeline bar, and click More details.

Figure: Certificates details card

To view a list of all certificates for your Istio setup, you can click the Details button, or go to the Certificates page. This list provides the Filter by expiration… dropdown to filter insights by validity status, and the Filter by type… dropdown to filter certificates by type, such as root or intermediate.

Review FIPS compliance

The Istio FIPS card of the dashboard confirms whether the images that you use for your Istio control plane are FIPS compliant, and whether ther workloads in your data plane are managed by a FIPS-complaint Istio control plane.

For example, if your environment runs workloads that require federal information processing compliance, you can use Solo Istio images that are specially built to comply with NIST FIPS. When you deploy Istio by using a Solo Istio image tagged with -fips, your istiod control plane becomes FIPS compliant. Then, when you update workloads in your service mesh to be managed by this istiod control plane, your workloads are also counted as FIPS complaint.

In this example, the istiod control plane is not FIPS compliant, but all in-mesh workloads are.

Figure: Istio FIPS card

For more information on FIPS compliance, see Supported Istio versions.

Verify zero trust

The Zero Trust card of the dashboard summarizes the security posture of traffic to and from your in-mesh services.

For example, if you configure your Istio workloads to use the PERMISSIVE mutual TLS (mTLS) mode, only a low number of workloads might receive mTLS-encrypted traffic requests. If you later add proxy sidecars to more of your services to include them in the mesh, and switch the mTLS mode to STRICT, the number of services receiving encrypted traffic increases significantly.

Additionally, this card helps you keep track of how many services that are external to the mesh are accessed by services that are in the mesh. To see the list of accessed external services, click Details.

Figure: Zero Trust card

Disable insights

As you resolve insights in your environment, you might want to ignore or remove some insights instead of resolving them. For example, an insight that gives a warning for production usage might not be relevant when you try out a new feature in a sandbox Istio environment.

To disable an insight and remove it from your insights list in the Gloo Mesh Core UI, include the insight’s code in an InsightsConfig resource. To find an insight’s code, go to the list of insights, click the insight’s Details, and look for the Code.

For example, the following resource disables the CFG0002 and CFG0003 insights.

  apiVersion: admin.gloo.solo.io/v2
kind: InsightsConfig
metadata:
  name: insights-config
  namespace: gloo-mesh
spec:
  disabledInsights:
    - CFG0002
    - CFG0003