Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-2371

Kiali in read-only mode still can change the log level of the envoy proxies

XMLWordPrintable

    • Icon: Ticket Ticket
    • Resolution: Done
    • Icon: Normal Normal
    • OSSM 2.3.2
    • OSSM 2.3.0
    • Kiali
    • None
    • False
    • None
    • False
    • Release Notes
    • Bug Fix

      Tested with Service Mesh 2.3.0 and Kiali 1.57.3. 

       

      Despite Kiali being configured as read-only, any user can change the log level of the envoy proxies.  Need the read-only feature to prevent this change as well. 

      Steps to reproduce:

      1. Deploy ServiceMesh with Kiali in read-only mode:

      spec:
  addons:
    kiali:
      enabled: true
      install:
        dashboard:
          enableGrafana: true
          enablePrometheus: true
          enableTracing: true
          viewOnly: true
      name: kiali
 [...]

      2. Add a namespace to the SMMR, and deploy an application.

      3. Log in to Kiali, go to Workloads, select one of them. 

      4. Go to the Logs tab, and then to the three dots on the right. 

      5. Select any proxy log level.

       

      Expected behaviour:

      The proxy log level should not be set from Kiali when  "viewOnly: true" is set.  

       

       

        1. image-2023-01-18-14-27-53-855.png
          image-2023-01-18-14-27-53-855.png
          280 kB
        2. image-2023-01-18-14-33-16-582.png
          image-2023-01-18-14-33-16-582.png
          33 kB
        3. image-2023-01-18-14-35-41-282.png
          image-2023-01-18-14-35-41-282.png
          10 kB

            [OSSM-2371] Kiali in read-only mode still can change the log level of the envoy proxies

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Moderate: Red Hat OpenShift Service Mesh Containers for 2.3.2 security update), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHSA-2023:1448

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Moderate: Red Hat OpenShift Service Mesh Containers for 2.3.2 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:1448

            Matej Nesuta added a comment -

            Went through the steps rh-ee-jcordoba posted and everything works as described in the ticket.

            Matej Nesuta added a comment - Went through the steps rh-ee-jcordoba posted and everything works as described in the ticket.

            Josune Cordoba Torrecilla added a comment -

            Some testing instructions:

            • view_only_mode: false

            Go to any workload detail > Go to the "Logs" tab > Click in the kebab

            It should be possible to click in any log level under "Set Proxy Log Level" and a successful message should be shown:

             

            • view_only_mode: true

            Note that the Kiali pods must be restarted after the change.

            Go to any workload detail > Go to the Log tab > Click in the kebab

            It should NOT be possible to click in any log level under "Set Proxy Log Level". The options should be disabled.

            Josune Cordoba Torrecilla added a comment - Some testing instructions: view_only_mode: false Go to any workload detail > Go to the "Logs" tab > Click in the kebab It should be possible to click in any log level under "Set Proxy Log Level" and a successful message should be shown:   view_only_mode: true Note that the Kiali pods must be restarted after the change. Go to any workload detail > Go to the Log tab > Click in the kebab It should NOT be possible to click in any log level under "Set Proxy Log Level". The options should be disabled.

            Jay Shaughnessy added a comment -

            OK, sounds good, if the customer elevates just let us know, but for now only looking to change the 2.3 line.

            Jay Shaughnessy added a comment - OK, sounds good, if the customer elevates just let us know, but for now only looking to change the 2.3 line.

            Jay Shaughnessy added a comment -

            Upstream tracking in https://github.com/kiali/kiali/issues/5714

            Jay Shaughnessy added a comment - Upstream tracking in https://github.com/kiali/kiali/issues/5714

              rh-ee-jcordoba Josune Cordoba Torrecilla
              rhn-support-asolanas Alexis Solanas
              Matej Nesuta
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: