Deprecated Mixer

m-czernek · March 20, 2020, 12:43pm

Hi there,

at [1], I see that Mixer is being deprecated. The small textbox at [1] mentions that the Mixer functionality is moving into Envoy.

What exactly is moving into the Envoy proxy? As of Istio 1.4, Mixer can do denials based on attributes, such as IPs, or headers. Where is this functionality moving? Is there any documentation I could read? I found nothing over at [2].

For example, right now, I can set Mixer to only allow ingress through ingress-gateway to a particular pod from IP x.x.x.x. No other IPs can GET the route. Where is this functionality moving to?

Any resources and help welcome!

[1] https://istio.io/docs/reference/config/policy-and-telemetry/
[2] https://www.envoyproxy.io/docs/envoy/latest/configuration/security/security

kuat · March 20, 2020, 6:19pm

For denials, you should use https://istio.io/docs/reference/config/security/authorization-policy/.
cc @YangminZhu

m-czernek · March 23, 2020, 1:28pm

Thank you, I did know about auth policies, but I was under the impression that it was only a part of Mixer that moved to that concept.

Is the whole security-related Mixer functionality being replaced by authorization policies?

Basically, RBAC + security subset of Mixer => authorization policies?

kuat · March 23, 2020, 7:04pm

Yes, most cases should be expressible via the authorization policies.
For remote authorization for something like OPA, you can use Envoy’s extauthz filter.

Topic		Replies	Views
Question on Mixer support in Istio 1.5 and authorization policy Security	0	439	March 20, 2020
Do AuthenticationPolicy and AuthorizationPolicy depend on Mixer?	4	542	May 20, 2020
Is mixer not needed for RBAC in Istio 1.3? Security	2	470	December 2, 2019
The successor of mixer adapter programming model Policies and Telemetry	3	655	June 5, 2020
Envoy's Metrics Service Policies and Telemetry	6	1117	February 5, 2019

Deprecated Mixer

Related Topics