Access and Expose Kiali, Grafana, and Jaeger
By default, Kyma does not expose Kiali, Grafana, and Jaeger. However, you can still access them using port forwarding. If you want to expose Kiali, Grafana, and Jaeger securely, use an identity provider of your choice.
- You have defined the kubeconfig file for your cluster as default (see Kubernetes: Organizing Cluster Access Using kubeconfig Files).
- To expose the services securely with OAuth, you must have a registered OAuth application with one of the supported providers.
- To forward a local port to a port on the service's Pod, run the following command:
kubectl port-forwarddoes not return. To stop port forwarding, cancel it with
- To access the respective service's UI, open
http://localhost:3000(for Grafana), or
http://localhost:16686(for Jaeger) in your browser.
Kyma manages an OAuth2 Proxy instance to secure access to Kiali, Grafana, and Jaeger. To make the services accessible, configure OAuth2 Proxy by creating a Kubernetes Secret with your identity provider credentials.
The following example shows how to use an OpenID Connect (OIDC) compliant identity provider for Kiali, Grafana, and Jaeger.
NOTE: The OAuth2 Proxy supports a wide range of other well-known authentication services or OpenID Connect for custom solutions. To find instructions for other authentication services, see the list of supported providers.
Create a new OpenID Connect application for your identity provider and set the callback URL to the
/oauth2/callbackpath of your service.
For example, if your Kyma cluster is reachable under
TIP: The subdomain is already exposed by default. Simply change the root domain to your cluster domain.
Your identity provider will return a client ID, a client secret, and a token issuer URL.
Create a Secret for the OAuth2 Proxy configuration environment variables.
For an OpenID Connect compliant provider, adapt the client ID, secret and token issuer to the values that were provided while creating the application.
To limit access to specific user groups, configure this with the
OAUTH2_PROXY_ALLOWED_GROUPSvariable and ensure that
OAUTH2_PROXY_OIDC_GROUPS_CLAIMpoints to the groups attribute name that is used by your authentication service (
groupsis the default). To get the configuration flags required for other identity provider types, see OAuth2 Proxy docs.
The following code works on Linux and macOS. If you are using Windows, replace the
^(CMD) for multi-line commands.
NOTE: By default, you are redirected to the documentation. To go to the service's UI instead, disable the OAuth2 Proxy provider button by setting
- Restart the OAuth2 Proxy pod: