Deprecated Mixer

m-czernek · March 20, 2020, 12:43pm

Hi there,

at [1], I see that Mixer is being deprecated. The small textbox at [1] mentions that the Mixer functionality is moving into Envoy.

What exactly is moving into the Envoy proxy? As of Istio 1.4, Mixer can do denials based on attributes, such as IPs, or headers. Where is this functionality moving? Is there any documentation I could read? I found nothing over at [2].

For example, right now, I can set Mixer to only allow ingress through ingress-gateway to a particular pod from IP x.x.x.x. No other IPs can GET the route. Where is this functionality moving to?

Any resources and help welcome!

[1] https://istio.io/docs/reference/config/policy-and-telemetry/
[2] https://www.envoyproxy.io/docs/envoy/latest/configuration/security/security

kuat · March 20, 2020, 6:19pm

For denials, you should use https://istio.io/docs/reference/config/security/authorization-policy/.
cc @YangminZhu

m-czernek · March 23, 2020, 1:28pm

Thank you, I did know about auth policies, but I was under the impression that it was only a part of Mixer that moved to that concept.

Is the whole security-related Mixer functionality being replaced by authorization policies?

Basically, RBAC + security subset of Mixer => authorization policies?

kuat · March 23, 2020, 7:04pm

Yes, most cases should be expressible via the authorization policies.
For remote authorization for something like OPA, you can use Envoy’s extauthz filter.

Topic		Replies	Views
IP Whitelisting with AuthorizationPolicy in EKS Networking	6	2872	December 29, 2021
Envoy and mixer	3	371	September 18, 2019
RBAC Config deserialization code Security	1	299	August 6, 2020
EnvoyFilter - ext_authz for istio 1.3 Security	1	2148	November 19, 2019
EnvoyFilter for ext-authz Security	5	2046	August 26, 2019

Deprecated Mixer

Related Topics