As discussed in the Policies and Telemetry WG, we are deprecating custom CRDs used by Istio Mixer.
This should ultimately simplify the policy and telemetry configuration model to 6 CRDs total:
- adapter, attributemanifest, and template for Istio extension declarations;
- handler, rule, and instance for specifying extension invocations.
Istio 1.1.3 supports both custom CRDs and the simplified CRDs for in-process adapters. Out-of-process adapters require the use of the simplified resource model. We plan to disable the support for custom CRDs in Istio 1.2 by default, so we strongly recommend using the simplified configuration model in Istio 1.1.x for all new configuration.
We have updated all default configuration in 1.1.3 to use the simplified model, and documented examples of converting the config published in Istio task guides. For example, https://istio.io/docs/tasks/policy-enforcement/denial-and-list/ lists two variants of the same config:
# before: apiVersion: config.istio.io/v1alpha2 kind: denier metadata: name: denyreviewsv3handler spec: *params --- apiVersion: config.istio.io/v1alpha2 kind: checknothing metadata: name: denyreviewsv3request spec: # after: apiVersion: config.istio.io/v1alpha2 kind: handler metadata: name: denyreviewsv3handler spec: compiledAdapter: denier params: *params --- apiVersion: config.istio.io/v1alpha2 kind: instance metadata: name: denyreviewsv3request spec: compiledTemplate: checknothing
Note the use of
compiledAdapter fields to indicate the in-process adapter and template references.
An important caveat is that rewriting the configuration as above affects the qualified names of the configuration resources. A qualified name of the Mixer resource consists of three parts: name, resource kind, and an optional namespace. Therefore, in the associated rule,
denyreviewsv3handler.denier changes to
denyreviewsv3handler, and similarly,
denyreviewsv3request.checknothing changes to
denyreviewsv3request, for a short form. This means that there is a possibility of a name collision if two instances or two handlers have the same name for two different kinds. Please make sure that your instances and handlers from the same namespace carry unique names.
Reach to us if you have any further questions.