1 - Release Notes

For additional information check our sprint demo videos and blogs.

1.63.0

Sprint Release: Jan 27

Features:

Fixes:

Notes:

  • Helm 3.10 is now required to run the Helm Charts.

Deprecations:

1.62.0

Sprint Release: Jan 06, 2023

Features:

Fixes:

Deprecations:

1.61.0

Sprint Release: Dec 16

Features:

Fixes:

1.60.0

Sprint Release: Nov 25

Features:

Fixes:

Deprecations:

Known Issues:

With the move to a distroless container in v1.59, root CA certificates went missing. This affects the Kiali integration with OpenID. The problem will be fixed in the next release (v1.61). The workaround is to use one of the “-distro” image tags found on the Quay.io repo by specifying it in the deployment.image_version setting of the Kiali CR or server helm chart value. If using the operator, in order to be able to set the deployment.image_version within the Kiali CR, you must enable the allowAdHocKialiImage setting when installing the operator.

1.59.0

Sprint Release: Nov 4, 2022

Features:

Fixes:

1.58.0

Sprint Release: Oct 14, 2022

Features:

Fixes:

1.57.0

Sprint Release: Sep 23

Features:

Fixes:

Upgrade Notes:

The improved control plane card on the Overview page makes use of previously unused metrics. If these metrics have been removed from your environment you will need to add them back for the feature to work. As a result,

Metric Notes
process_cpu_seconds_total used to graph cpu usage in the control plane overview card
container_memory_working_set_bytes used to graph memory usage in the control plane overview card
pilot_proxy_convergence_time_sum used in control plane overview card to show the average proxy push time
pilot_proxy_convergence_time_count used in control plane overview card to show the average proxy push time


If these metrics have been removed from your environment you will need to add them back for the feature to work. As a result, we have updated our recommended Prometheus metric thinning configuration. See kiali.io for the updated configuration. The metrics used are not typically very heavy and adding them back should likely not be an issue.

See this FAQ entry for a list of all metrics required by Kiali.

1.56.0

Sprint Release: Sep 2

Features:

Fixes:

1.55.0

Sprint Release: August 12, 2022

Features:

Fixes:

1.54.0

Sprint Release: July 22, 2022

Features:

Fixes:

1.53.0

Sprint Release: July 1st, 2022

Features:

Fixes:

1.52.0

Sprint Release: June 10th, 2022

Features:

Fixes:

1.51.0

Sprint Release: May 20th, 2022

Features:

Fixes:

1.50.0

Sprint Release: April 29th, 2022

Features:

Fixes:

1.49.0

Sprint Release: April 8th, 2022

Features:

Fixes:

1.48.0

Sprint Release: March 18th, 2022

Features:

Fixes:

1.47.0

Sprint Release: February 25th, 2022

Features:

Fixes:

1.46.0

Sprint Release: February 4th, 2022

Features:

Fixes:

1.45.0

Sprint Release: January 14th, 2022

Features:

Fixes:

1.44.0

Sprint Release: December 3rd, 2021

Features:

Fixes:

1.43.0

Sprint Release: November 12nd, 2021

Features:

Please note this introduces a backward-incompatible change. Users with the prior ingress settings defined in their Kiali CR will need to make an update. Other users are not affected. The previous ingress settings were:

deployment:
  ingress_enabled: <true|false>
  override_ingress_yaml:
    ...the override yaml here...

This has been changed to the following:

deployment:
  ingress:
    enabled: <true|false>
    override_yaml:
      ...the override yaml here...

Fixes:

1.42.0

Sprint Release: October 22nd, 2021

Features:

Fixes:

1.41.0

Sprint Release: October 1st, 2021

Features:

Fixes:

1.40.0

Sprint Release: September 10th, 2021

Features:

Fixes:

1.39.0

Sprint Release: August 20th, 2021

Features:

Fixes:

1.38

1.38.1

Mid-Sprint Release: August 6th, 2021

Fixes:

1.38.0

Sprint Release: July 30th, 2021

Features:

Fixes:

1.37.0

Sprint Release: July 9th, 2021

Features:

Fixes:

1.36.0

Sprint Release: June 18th, 2021

Features:

Fixes:

2 - Security Bulletins

2.1 - KIALI-SECURITY-003 - Installation into ad-hoc namespaces

Description

A vulnerability was found in the Kiali Operator allowing installation of a specified image into any namespace.

Kiali users are exposed to this vulnerability if all the following conditions are met:

  • Kiali operator is used for installation.
  • Kiali CR was edited to install an image into an unapproved namespace.

This vulnerability is filed as CVE-2021-3495

Mitigation

If you can update:

  • Update to Kiali Operator v1.33.0 or later.

If you can not update:

  • Ensure only trusted individuals can create or edit a Kiali CRs (resources of kind “kiali”).

2.2 - KIALI-SECURITY-002 - Authentication bypass when using the OpenID login strategy

Description

A vulnerability was found in Kiali allowing an attacker to bypass the authentication mechanism. The vulnerability lets an attacker build forged credentials and use them to gain unauthorized access to Kiali.

Kiali users are exposed to this vulnerability if all the following conditions are met:

  • Kiali is setup with the openid authentication strategy.
  • As a result of configurations in both Kiali and your OpenID server, Kiali uses the implicit flow of the OpenID specification to negotiate authentication.
  • Kiali is setup with RBAC turned off.

This vulnerability is filed as CVE-2021-20278

Mitigation

If you can update:

  • Update to Kiali v1.31.0 or later.
  • If you need an earlier version, only Kiali 1.26.3 and 1.29.2 are fixed.

If you are locked with an older version of Kiali, you have three options:

  • Configure Kiali to use the authorization code flow of the OpenID specification; or
  • Configure Kiali to use the implicit flow of the OpenID specification and enable RBAC; or
  • Configure Kiali to use any of the other available authentication mechanisms.

2.3 - KIALI-SECURITY-001 - Authentication bypass using forged credentials

Description

A vulnerability was found in Kiali allowing an attacker to bypass the authentication mechanism. Currently, Kiali has four authentication mechanisms: login, token, openshift and ldap. All are vulnerable.

The vulnerability lets an attacker build forged credentials and use them to gain unauthorized access to Kiali.

Additionally, it was found that Kiali credentials were not being validated properly. Depending on the authentication mechanism configured in Kiali, this could facilitate unauthorized access into Kiali with forged and/or invalid credentials.

These vulnerabilities are filed as CVE-2020-1762 and CVE-2020-1764

Detection

Use the following bash script to check if you are vulnerable:

KIALI_VERSION=$(kubectl get pods -n istio-system -l app=kiali -o yaml | sed -n 's/^.*image: .*:v\(.*\)$/\1/p' | sort -u)
kubectl get deploy kiali -n istio-system -o yaml | grep -q LOGIN_TOKEN_SIGNING_KEY
TEST_KEY_ENV=$?
kubectl get cm kiali -n istio-system -o yaml | grep signing_key | grep -vq kiali
TEST_KEY_CFG=$?
VERSION_ENTRIES=(${KIALI_VERSION//./ })
echo "Your Kiali version found: ${KIALI_VERSION}"
[ ${VERSION_ENTRIES[0]} -lt "1" ] || ([ ${VERSION_ENTRIES[0]} -eq "1" ] && (\
  [ ${VERSION_ENTRIES[1]} -lt "15" ] || ([ ${VERSION_ENTRIES[1]} -eq "15" ] && ( \
  [ ${VERSION_ENTRIES[2]} -le "0" ])))) && echo "Your Kiali version is vulnerable"
[ $TEST_KEY_ENV -eq 1 ] && [ $TEST_KEY_CFG -eq 1 ] && echo "Your Kiali configuration looks vulnerable"

The script output will be similar to this:

Your Kiali version found: 1.14.0
Your Kiali version is vulnerable
Your Kiali configuration looks vulnerable

Mitigation

  • Update to Kiali 1.15.1 or later.

Alternatively, if you cannot update to version 1.15.1, mitigation is possible by setting a secure signing key when deploying Kiali. If you installed via Kiali operator, you could use the following bash script:

SIGN_KEY=$(chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; for i in {1..20}; do echo -n "${chars:RANDOM%${#chars}:1}"; done; echo)
kubectl get kiali -n $(kubectl get kiali --all-namespaces --no-headers -o custom-columns=NS:.metadata.namespace) -o yaml | sed "s/spec:/spec:\n    login_token:\n      signing_key: $SIGN_KEY/" | kubectl apply -f -

If you installed via Istio helm charts or istioctl command, you could use the following bash script:

KIALI_INSTALL_NAMESPACE=istio-system
SIGN_KEY=$(chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; for i in {1..20}; do echo -n "${chars:RANDOM%${#chars}:1}"; done; echo)
kubectl get cm kiali -n $KIALI_INSTALL_NAMESPACE -o yaml | sed "s/server:/login_token:\\n      signing_key: $SIGN_KEY\\n    server:/" | kubectl apply -f -
kubectl delete pod -l app=kiali -n $KIALI_INSTALL_NAMESPACE