Deprecated Mixer

Hi there,

at [1], I see that Mixer is being deprecated. The small textbox at [1] mentions that the Mixer functionality is moving into Envoy.

What exactly is moving into the Envoy proxy? As of Istio 1.4, Mixer can do denials based on attributes, such as IPs, or headers. Where is this functionality moving? Is there any documentation I could read? I found nothing over at [2].

For example, right now, I can set Mixer to only allow ingress through ingress-gateway to a particular pod from IP x.x.x.x. No other IPs can GET the route. Where is this functionality moving to?

Any resources and help welcome!

[1] https://istio.io/docs/reference/config/policy-and-telemetry/
[2] https://www.envoyproxy.io/docs/envoy/latest/configuration/security/security

For denials, you should use https://istio.io/docs/reference/config/security/authorization-policy/.
cc @YangminZhu

Thank you, I did know about auth policies, but I was under the impression that it was only a part of Mixer that moved to that concept.

Is the whole security-related Mixer functionality being replaced by authorization policies?

Basically, RBAC + security subset of Mixer => authorization policies?

Yes, most cases should be expressible via the authorization policies.
For remote authorization for something like OPA, you can use Envoy’s extauthz filter.