Skip to content

Enabling Envoy Authorization Service and gRPC Access Log Service With Mixer

Jump to bottom
Pengyuan Bian edited this page Sep 1, 2020 · 7 revisions

TL;DR

Mixer is fully deprecated since 1.8 release and Istio shifts into the direction of using WebAssembly for extension. This log has more background information: https://istio.io/latest/blog/2020/wasm-announce/. However it takes time to migrate from Mixer based extensions to Wasm modules. This page describes how to enable Envoy authorization service and access log service and make them work with Mixer 1.7 installation. The goal is that after upgrading Istio, you can still keep 1.7 Mixer and related configuration for any extension functionality, so that you have enough time for migration.

Enable Envoy Access Log Service and Authorization Service

Assuming you have Istio installed with Mixer enabled in your cluster, using the similar installation options as the follows:

istioctl install <your options or operator file> \
  --set components.policy.enabled=true \
  --set components.telemetry.enabled=true  \
  --set meshConfig.disablePolicyChecks=false \
  --set meshConfig.disableMixerHttpReports=false

To enable Envoy authorization service and target it to istio-policy service, apply the following EnvoyFilter resource in your cluster

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: istio-policy
  namespace: istio-system
spec:
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        filterChain:
          filter:
            name: envoy.http_connection_manager
            subFilter:
              name: envoy.router 
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.ext_authz
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"
          grpc_service:
            google_grpc:
              target_uri: istio-policy.istio-system:9091
              stat_prefix: istio-policy.istio-system
            timeout: 5s

To enable Envoy access log service and target it to istio-telemetry service, apply the following EnvoyFilter resource in your cluster:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: istio-telemetry
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          access_log:
            - name: envoy.access_loggers.http_grpc
              typed_config:
                "@type": "type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig"
                common_config:
                  log_name: istio-telemetry.istio-system
                  grpc_service:
                    google_grpc:
                      target_uri: istio-telemetry.istio-system:9091
                      stat_prefix: istio-telemetry.istio-system
                additional_request_headers_to_log:
                - :authority
                - content-type
  - applyTo: NETWORK_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        filterChain:
          filter:
            name: "envoy.tcp_proxy"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy"
          access_log:
            - name: envoy.access_loggers.tcp_grpc
              typed_config:
                "@type": "type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig"
                common_config:
                  log_name: istio-telemetry.istio-system
                  grpc_service:
                    google_grpc:
                      target_uri: istio-telemetry.istio-system:9091
                      stat_prefix: istio-telemetry.istio-system

With Envoy Access Log and Authorization Service enabled, we can disable Mixer client report and check calls with the follows:

istioctl install <your options or operator file> \
  --set components.policy.enabled=true \
  --set components.telemetry.enabled=true \
  --set meshConfig.disablePolicyChecks=true \
  --set meshConfig.disableMixerHttpReports=true

Now Envoy is configured to do Check and Report with Mixer server through its native APIs.

Behavior Difference between Mixer Client and Envoy APIs

Note, there are some differences between Envoy APIs and Mixer Client:

  • Due to limitation of Envoy gRPC service, which requires destination cluster to be a static cluster, ext authz check request and gRPC access log have to be plain text. To work around this, a bootstrap override is needed to register a static upstream cluster with mTLS transport security context, which will be referenced by the EnvoyFilter configuration above.
  • Report and check call from Envoy APIs do not have context.reporter.kind attribute, thus it is always set to inbound.
  • context.reporter.uid is always set to envoy_accesslog_service in report from Envoy Access Log service. This allows you to distinguish during the time when there are double reports, which could be used for migration when both Envoy gRPC Access Log Service and Mixer Client Report are enabled.
  • Since Envoy ext authz filter does not have client cache, it will make a check call to istio-policy for every request going through, so istio-policy deployment will need more resources than running with Mixer client.
  • Access Log service configuration requires headers to be specified in the configurations. This can be seen with :authority and content-type in the example configuration above. It uses content-type to distinguish between http and grpc and :authority to get the request host attribute.
  • Mixer is periodic report for TCP connections but for Envoy Access Log service it only reports when connection closes.
  • Some noticeable attributes differences:
    • Envoy ext authz check misses the following attributes: connection.mtls, context.proxy_version, context.reporter.uid, destination.service.*.
    • Envoy gRPC access log misses the following attributes: connection.mtls. connection.requested_server_name, context.proxy_version, context.reporter.uid, destination.service.uid, istio_authn, request.auth.principal.

Here are example attributes bags generated from Envoy Ext Authz check and gRPC access log report.

Update to 1.8

When upgrading to Istio 1.8 or any version after that, you can simply run:

istioctl upgrade <your options or operator file>

All Mixer related deployments and resources should still be preserved.

Visit istio.io to learn how to use Istio.

Dev Environment

Writing Code

Pull Requests

Testing

Performance

Releases

Misc

Central Istiod

Security

Mixer

Pilot

Telemetry

Clone this wiki locally