Enabling Envoy Authorization Service and gRPC Access Log Service With Mixer
Mixer is fully deprecated since 1.8 release and Istio shifts into the direction of using WebAssembly for extension. This log has more background information: https://istio.io/latest/blog/2020/wasm-announce/. However it takes time to migrate from Mixer based extensions to Wasm modules. This page describes how to enable Envoy authorization service and access log service and make them work with Mixer 1.7 installation. The goal is that after upgrading Istio, you can still keep 1.7 Mixer and related configuration for any extension functionality, so that you have enough time for migration.
Assuming you have Istio installed with Mixer enabled in your cluster, using the similar installation options as the follows:
istioctl install <your options or operator file> \
--set components.policy.enabled=true \
--set components.telemetry.enabled=true \
--set meshConfig.disablePolicyChecks=false \
--set meshConfig.disableMixerHttpReports=false
To enable Envoy authorization service and target it to istio-policy service, apply the following EnvoyFilter resource in your cluster
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-policy
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.http_connection_manager
subFilter:
name: envoy.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"
grpc_service:
google_grpc:
target_uri: istio-policy.istio-system:9091
stat_prefix: istio-policy.istio-system
timeout: 5s
To enable Envoy access log service and target it to istio-telemetry service, apply the following EnvoyFilter resource in your cluster:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-telemetry
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
access_log:
- name: envoy.access_loggers.http_grpc
typed_config:
"@type": "type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig"
common_config:
log_name: istio-telemetry.istio-system
grpc_service:
google_grpc:
target_uri: istio-telemetry.istio-system:9091
stat_prefix: istio-telemetry.istio-system
additional_request_headers_to_log:
- :authority
- content-type
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.tcp_proxy"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy"
access_log:
- name: envoy.access_loggers.tcp_grpc
typed_config:
"@type": "type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig"
common_config:
log_name: istio-telemetry.istio-system
grpc_service:
google_grpc:
target_uri: istio-telemetry.istio-system:9091
stat_prefix: istio-telemetry.istio-system
With Envoy Access Log and Authorization Service enabled, we can disable Mixer client report and check calls with the follows:
istioctl install <your options or operator file> \
--set components.policy.enabled=true \
--set components.telemetry.enabled=true \
--set meshConfig.disablePolicyChecks=true \
--set meshConfig.disableMixerHttpReports=true
Now Envoy is configured to do Check and Report with Mixer server through its native APIs.
Note, there are some differences between Envoy APIs and Mixer Client:
- Due to limitation of Envoy gRPC service, which requires destination cluster to be a static cluster, ext authz check request and gRPC access log have to be plain text. To work around this, a bootstrap override is needed to register a static upstream cluster with mTLS transport security context, which will be referenced by the EnvoyFilter configuration above.
- Report and check call from Envoy APIs do not have
context.reporter.kind
attribute, thus it is always set toinbound
. -
context.reporter.uid
is always set toenvoy_accesslog_service
in report from Envoy Access Log service. This allows you to distinguish during the time when there are double reports, which could be used for migration when both Envoy gRPC Access Log Service and Mixer Client Report are enabled. - Since Envoy ext authz filter does not have client cache, it will make a check call to
istio-policy
for every request going through, soistio-policy
deployment will need more resources than running with Mixer client. - Access Log service configuration requires headers to be specified in the configurations. This can be seen with
:authority
andcontent-type
in the example configuration above. It usescontent-type
to distinguish between http and grpc and:authority
to get the request host attribute. - Mixer is periodic report for TCP connections but for Envoy Access Log service it only reports when connection closes.
- Some noticeable attributes differences:
- Envoy ext authz check misses the following attributes:
connection.mtls
,context.proxy_version
,context.reporter.uid
,destination.service.*
. - Envoy gRPC access log misses the following attributes:
connection.mtls
.connection.requested_server_name
,context.proxy_version
,context.reporter.uid
,destination.service.uid
,istio_authn
,request.auth.principal
.
- Envoy ext authz check misses the following attributes:
Here are example attributes bags generated from Envoy Ext Authz check and gRPC access log report.
When upgrading to Istio 1.8 or any version after that, you can simply run:
istioctl upgrade <your options or operator file>
All Mixer related deployments and resources should still be preserved.
Visit istio.io to learn how to use Istio.
- Preparing for Development Mac
- Preparing for Development Linux
- Troubleshooting Development Environment
- Repository Map
- GitHub Workflow
- Github Gmail Filters
- Using the Code Base
- Developing with Minikube
- Remote Debugging
- Verify your Docker Environment
- Istio Test Framework
- Working with Prow
- Test Grid
- Code Coverage FAQ
- Writing Good Integration Tests
- Test Flakes
- Release Manager Expectations
- Preparing Istio Releases
- 1.5 Release Information
- 1.6 Release Information
- 1.7 Release Information
- 1.8 Release Information
- 1.9 Release Information
- 1.10 Release Information
- 1.11 Release Information
- 1.12 Release Information
- 1.13 Release Information
- 1.14 Release Information
- 1.15 Release Information
- 1.16 Release Information
- 1.17 Release Information
- 1.18 Release Information
- 1.19 Release Information
- 1.20 Release Information
- 1.21 Release Information
- 1.22 Release Information
- Collecting Logs and Debug Info
- Dependency FAQ
- Working with discuss.istio.io
- Developing with and hosting upon OpenShift
- Adapter Dev Guide
- Adapter Walkthrough
- Attribute Generating Adapter Walkthrough
- Route Directive Adapter Development Guide
- Out of Tree Adapter Walkthrough
- Running a Local Instance
- Template Dev Guide
- Using a Custom Adapter
- Publishing Adapters and Templates to istio.io
- Enabling Envoy Authorization Service and gRPC Access Log Service With Mixer