Explore the UI
After connecting to the Gloo UI, explore the basic layout. Review your Gloo Mesh components, Istio workloads, insights, your security posture, and more.
The UI offers a view-only experience. Users cannot modify resources.
Launch
The Gloo UI is served from the gloo-mesh-ui service on port 8090. When you have access to the management cluster, you can launch the Gloo UI from your local machine. You can connect by using the meshctl or kubectl CLIs.
Open the Gloo UI. The Gloo UI is served from the
gloo-mesh-uiservice on port 8090. You can connect by using themeshctlorkubectlCLIs.
- meshctl: For more information, see the CLI documentation.
meshctl dashboard - kubectl:
- Port-forward the
gloo-mesh-uiservice on 8090.kubectl port-forward -n gloo-mesh svc/gloo-mesh-ui 8090:8090 - Open your browser and connect to http://localhost:8090.
- Port-forward the
- Optional: If authentication is enabled, sign in.
- Review the dashboard.
Home
View the health and performance of your Gloo Mesh components and Istio workloads, and view recommendations to harden your setup by using the Dashboard and Insights pages.
Dashboard
The Gloo UI dashboard provides an at-a-glance overview of the health of your Gloo Mesh components, your Istio installation, and different tiles to quickly determine the security posture, compliance, inventories, and health of your Gloo Mesh environment.
Insights
Gloo Mesh comes with an insights engine that automatically analyzes your Istio setups for health issues. These issues are displayed in the UI along with recommendations to harden your Istio setups. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment. For an overview of available insights, see Insights.
Inventory
The Inventory section provides an at-a-glance look at the health of registered clusters and discovered services that make up your Gloo Mesh environment.
Clusters
On the Clusters page, review details of the cluster where Gloo Mesh is installed. In a multicluster setup, you can review the details of each cluster that you registered with the Gloo management plane.
To filter clusters by the cluster’s installation health, click the Healthy and Unhealthy buttons. You can also use the Sort by Name dropdown or the search bar to filter clusters by name.
Figure: Clusters page Figure: Clusters page Click More Details to see a more detailed dashboard for the cluster. This dashboard can help you find errors in your Gloo and Istio setups. Note that if you run multiple versions of Istio within the same cluster, you can click each version in the Version tab to see its details.
Services
On the Services page, review a list of the discovered services across all clusters in your Gloo setup. Quickly find out if traffic cannot reach your services by clicking the Healthy and Unhealthy buttons. You can also filter services by name using the search bar, filter by in-mesh and out-of-mesh services, and modify the timeframe that services are available in by using the dropdown menu.
Note that the health of your services on the Services overview page refers to whether network traffic requests are getting fulfilled by the service. You can review the configuration health of the service by clicking Details.
From the Details page of a service:
- To debug the service, click View YAML to view the service’s YAML configuration.
- See an analysis of the service’s error rate and latency in the Service Signals card.
- View the Graph tab to visualize the network traffic that reaches your service mesh. For more information about how to use the graph, see Graph.
- If you enable tracing in the Gloo telemetry pipeline, you can see request traces for a service in the built-in Jaeger UI that you can find in the Tracing tab. For more information about how to enable and use the tracing interface, see Tracing.
Traffic
Review the configuration of ingress and egress gateways in your Gloo Network environment.
Ingress
View the Gateway resources for the Istio ingress gateway proxies in your environment. This page helps you quickly see which domains and ports each gateway serves, the services that back each gateway, and whether the gateway is configured with a TLS certificate.
For more information, see the Deploy Gloo-managed service meshes.
Security
Security insights
The Dashboard and Security Insights pages of the Gloo UI can help you review the overall security posture of your Istio setup, including insights and recommendations regarding your certificates, encrypted traffic, FIPS compliance, and more.
For more information, see Review your security posture.
Certificates
View a list of all Istio and relay certificates in your environment. This list provides the Filter by expiration… dropdown to filter certificates by validity status, and the Filter by type… dropdown to filter certificates by type, such as Istio root or intermediate.
To view the details of a certificate, such as the issue details, total validity period, and fingerprints, click Details. On the certificate details page, you can review general information, such as the common name and organization the certificate is issued to, and check the validity period and fingerprints of the certificate.
Resources
Find an overview of resources that are deployed in your cluster and use the filter options in the Gloo UI to find the resource that you need.
Solo
View the Gloo Mesh custom resources that you created in your environment. Use the Filter by options to filter the list by resource type. To view the YAML configuration for a resource, click View YAML.
Istio
View the Istio resources in your Gloo Mesh environment, such as virtual services, gateways, or Istio operators. Use the Filter options to filter the list by namespace and Istio resource type. To view the YAML configuration for a resource, click View YAML.
Gateway API
View all Kubernetes Gateway API resources in your environment. For more information, see the Kubernetes Gateway API guide in the Istio documentation.
Kubernetes
View all Kubernetes resources in your cluster, such as services, service accounts, secrets, or cluster roles. Use the Filter options to filter the list by namespace and Kubernetes resource type. To view the YAML configuration for a resource, click View YAML.
Observability
The Gloo UI consumes telemetry data from Prometheus and Jaeger and visualizes this data in the Observability section.
Graph
The Gloo UI includes a Graph page to visualize the network traffic that reaches your service mesh. The graph is based off Prometheus metrics that the built-in telemetry pipeline collects and exposes.
Layout settings
From the footer toolbar, click Layout Settings. Toggle on or off the following settings.
Layout settings
- Animations: Change the paths between nodes from a directional animation to a solid line.
- Group By: In view 1, toggle the architectural layout between
CLUSTERandWORKSPACE.CLUSTER: Review the clusters and Kubernetes namespaces that your app nodes are organized in. For example, you might want to focus on reviewing multicluster traffic failover by toggling this view.WORKSPACE: Review the Gloo workspaces that your app nodes are organized in. For example, you might want to focus reviewing traffic across each of your team’s workspaces.
- Mutual TLS: If you use Gloo Mesh Enterprise, toggle the lock icons along paths between nodes. For example, if all your workspaces enable service isolation, then all traffic is secured via mTLS. Thus, you might not want to see the lock icons.
- TCP: Review TCP traffic.
Node types displayedNodes represent the application “nodes” of the graph. (Note that nodes represent your apps, not Kubernetes compute nodes.) You can toggle on and off views for the following nodes:
- Kubernetes services
- External services
- Gateways
Node states displayedToggle on or off idle nodes, which are nodes that do not receive traffic.
If you don’t see your apps in the graph, select a different range of time from the Traffic dropdown.
Filters
In the Search bar, filter the services that you want to see in the graph. You can choose to include or hide those services.
From the Traffic dropdown, select the range of time that you want the graph to show, such as traffic from the last 15 minutes.
From the Refresh dropdown, select how often you want the graph to refresh the data, such as every 5 seconds. You can also refresh on demand by clicking REFRESH.
After the header toolbar, you can filter what the graph shows by workspace, namespace, and cluster. Filters work like the logical operator AND, so results must meet all the criteria. For example, if you filter by bookinfo workspace, bookinfo namespace, and cluster1, then the graph shows services that meet all these criteria.
Toggle Errors Only to see services that experienced traffic errors during the traffic time range you selected from the header toolbar.
Within the graph views, you can navigate by clicking and dragging whitespace within the main canvas, or by using the navigation arrow buttons, as shown in the following figure.
After the header toolbar, filter, and main canvas, you can choose more viewing options in the footer toolbar.
| # | Icon name | Description |
|---|---|---|
| 1 | Fullscreen | Click to expand your browser to fullscreen. Click again or enter ESC to return to the normal screen size. |
| 2 | Zoom in and out | Zoom in or out on the main view’s canvas. Depending on your mouse settings, you can also scroll to zoom in and out. |
| 3 | Fit to canvas | Click to center and fit the content of the current view to the canvas size. This action might be helpful if you rearranged the nodes and zoomed in. |
| 4 | Networking graph views | Click one of the networking graph views to change how the nodes are displayed in the main canvas. For more information, see Networking views. |
| 5 | View legend | Open the graph legend. For more information, see Legend. |
| 6 | Layout settings | Open the graph layout settings. For more information, see Layout settings. |
Legend
From the footer toolbar, click Show Legend.
Node Types describes the icons that are used for the application “nodes” of the graph. For example, a node might be a Kubernetes service, such as a gateway proxy, mesh workload, or waypoint proxy, or an external service, such as a virtual machine (VM), external workload, or Lambda function.
Node States and Edges show whether a service’s traffic behaves normally or not, as indicated by a color or icon.
| Color or icon | State | Description |
|---|---|---|
| Blue | Normal | The node sends and responds to traffic as expected. |
| Red | Danger | The node has some sort of failure. For example, a policy might be applied to a route that blocks traffic to a service. |
| Yellow | Warn | The node has some sort of degraded traffic. For example, a policy might be applied to a route that rate limits traffic to a service. Most of the requests are successful, but some are not. |
| Gray | Idle | The node does not yet accept or send traffic. For example, the deployment might be pending. |
| Dashed, black line | L7 | The traffic between nodes is sent over Layer 7 (application). For this traffic, you can apply L7 HTTP/HTTPS policies that are supported in Gloo Mesh Enterprise, Gloo Mesh Gateway, and Gloo Gateway only. |
| Solid, navy or gray line | L4 | The traffic between nodes is sent over Layer 4 (transport). |
| Colorful triangles | Failure, Healthy, Degraded, or Idle | The connection is in a state of failure, healthy, degraded, or idle, depending on the color. Try describing the resources in your cluster to troubleshoot further. |
| Blue lock icon | mTLS applied | Service isolation is enabled for the traffic, with communication secured via mTLS. You can change service isolation settings via an access policy for a specific destination, or for the entire workspace via the workspace settings. |
| Istio icon | Enforced by Istio | The traffic connection is enforced by Istio. |
Show an architectural view of your app nodes in the main canvas area of the graph. This view organizes the app nodes by the Gloo workspace, Kubernetes namespace, and cluster that you filter for.
To rearrange nodes, click and drag. In this view, your changes are cached so that the canvas setup stays similar when you return to the page. For information on the edge paths, node states, locks, and more, see the Legend tab.
Show a simple view of the app nodes in your environment. Nodes are grouped together in close proximity. This view does not show workspace, namespace, or cluster boundaries. However, those boundaries are still used to show or hide out nodes based on your filters.
To rearrange nodes, click and drag. Note that in this view, your changes are NOT cached. For information on the edge paths, node states, locks, and more, see the Legend tab.
Show a simple view of the app nodes in your environment. Nodes are organized into a vertical chain layout. This view does not show workspace, namespace, or cluster boundaries. However, those boundaries are still used to show or hide out nodes based on your filters.
To rearrange nodes, click and drag. Note that in this view, your changes are NOT cached. For information on the edge paths, node states, locks, and more, see the Legend tab.
Tracing
Gloo Network integrates with Jaeger as the tracing platform. Jaeger is an open source tool that helps you follow the path of a request as it is forwarded between microservices. The chain of events and interactions are then captured by the Gloo telemetry pipeline and visualized in the Jaeger UI that is embedded on the Tracing page of the Gloo UI. You can use this data to troubleshoot issues in your microservices and identify bottlenecks.
To access the Jaeger UI through the Gloo UI, you must enable tracing in the Gloo telemetry pipeline and instrument your apps to collect traces. If you have an existing Jaeger instance that you want to use to visualize traces, you can configure the Gloo UI to embed the UI of your Jaeger instance. For more information, see Add Istio request traces.
Logs
You can use the Gloo UI log viewer to see the logs of Gloo and Istio components, such as the Gloo management server, the Gloo telemetry collector agent, or the Gloo UI. These logs can help you monitor the health of your Gloo components and troubleshoot issues.
Logs are disabled in the Gloo UI by default. You must opt in to see the logs by enabling the log pipeline in your Helm installation. Note that this feature requires a Gloo Mesh Enterprise license. For more information, see Enable logs.
To view logs, use the log viewer filter options to select the cluster, Gloo component, pod name, and, if applicable, the container that you want to check the logs for. You can also use the search capability to find logs that match a specific search term, or download the logs so that you can share them with your team.
