Mixer Configuration Model

Istio provides a flexible model to enforce authorization policies and collect telemetry for theservices in a mesh.

Infrastructure backends are designed to provide support functionalityused to build services. They include such things as access control systems,telemetry capturing systems, quota enforcement systems, billing systems, and soforth. Services traditionally directly integrate with these backend systems,creating a hard coupling and baking-in specific semantics and usage options.

Istio provides a uniform abstraction that makes it possible for Istio to interface withan open-ended set of infrastructure backends. This is done in such a way to provide richand deep controls to the operator, while imposing no burden on service developers.Istio is designed to change the boundaries between layers in order to reducesystemic complexity, eliminate policy logic from service code and givecontrol to operators.

Mixer is the Istio component responsible for providing policy controls and telemetry collection:

Mixer Topology

Mixer Topology

The Envoy sidecar logically calls Mixer before each request to perform precondition checks, and after each request to report telemetry.The sidecar has local caching such that a large percentage of precondition checks can be performed from cache. Additionally, thesidecar buffers outgoing telemetry such that it only calls Mixer infrequently.

At a high level, Mixer provides:

  • Backend Abstraction. Mixer insulates the rest of Istio from the implementation details of individual infrastructure backends.

  • Intermediation. Mixer allows operators to have fine-grained control over all interactions between the mesh and infrastructure backends.

Policy enforcement and telemetry collection are entirely driven from configuration.Policy check is disabled by default, avoiding the need to go through the Mixer policy component.Refer to Installation Options for more information.

Adapters

Mixer is a highly modular and extensible component. One of its key functions isto abstract away the details of different policy and telemetry backend systems,allowing the rest of Istio to be agnostic of those backends.

Mixer’s flexibility in dealing with different infrastructure backends comesfrom its general-purpose plug-in model. Individual plug-ins areknown as adapters and they allow Mixer to interface to differentinfrastructure backends that deliver core functionality, such as logging,monitoring, quotas, ACL checking, and more. The exact set ofadapters used at runtime is determined through configuration and can easily beextended to target new or custom infrastructure backends.

Showing Mixer with adapters.

Mixer and its Adapters

Learn more about the set of supported adapters.

Attributes

Attributes are an essential concept to Istio’s policy and telemetry functionality.An attribute is a small bit of data that describes a single property of a specificservice request or the environment for the request. For example, an attribute canspecify the size of a specific request, the response code for an operation, the IPaddress where a request came from, etc.

Each attribute has a name and a type. The type defines the kind of data that the attribute holds. Forexample, an attribute can have a STRING type which means it has a textual value, or it can have an INT64type indicating it has a 64 bit integer value.

Here are some example attributes with their associated values:

  1. request.path: xyz/abc
  2. request.size: 234
  3. request.time: 12:34:56.789 04/17/2017
  4. source.ip: [192 168 0 1]
  5. destination.service.name: example

Mixer is in essence an attribute processing machine. The Envoy sidecar invokes Mixer forevery request, giving Mixer a set of attributes that describe the request and the environmentaround the request. Based on its configuration and the specific set of attributes it wasgiven, Mixer generates calls to a variety of infrastructure backends.

Attribute Machine

Attribute Machine

Attribute vocabulary

A given Istio deployment has a fixed vocabulary of attributes that it understands.The specific vocabulary is determined by the set of attribute producers being usedin the deployment. The primary attribute producer in Istio is Envoy, althoughspecialized Mixer adapters can also generate attributes.

Learn more about the common baseline set of attributes available in most Istio deployments.

Attribute expressions

Attribute expressions are used when configuring instances.Here’s an example use of expressions:

  1. destination_service: destination.service.host
  2. response_code: response.code
  3. destination_version: destination.labels["version"] | "unknown"

The sequences on the right-hand side of the colons are the simplest forms of attribute expressions.The first two only consist of attribute names. The response_code label is assigned the value from the response.code attribute.

Here’s an example of a conditional expression:

  1. destination_version: destination.labels["version"] | "unknown"

With the above, the destination_version label is assigned the value of destination.labels["version"]. However if that attributeis not present, the literal "unknown" is used.

Refer to the attribute expression page for details.

Configuration model

Istio’s policy and telemetry features are configured through a common model designed toput operators in control of every aspect of authorization policy and telemetry collection.Specific focus was given to keeping the model simple, while being powerfulenough to control Istio’s many features at scale.

Controlling the policy and telemetry features involves configuring three types of resources:

  • Configuring a set of handlers, which determine the set of adapters thatare being used and how they operate. Providing a statsd adapter with the IPaddress for a Statsd backend is an example of handler configuration.

  • Configuring a set of instances, which describe how to map request attributes into adapter inputs.Instances represent a chunk of data that one or more adapters will operateon. For example, an operator may decide to generate requestcountmetric instances from attributes such as destination.service.host andresponse.code.

  • Configuring a set of rules, which describe when a particular adapter is called and which instancesit is given. Rules consist of a match expression and actions. The match expression controlswhen to invoke an adapter, while the actions determine the set of instances to give the adapter.For example, a rule might send generated requestcount metric instances to a statsd adapter.

Configuration is based on adapters and templates:

  • Adapters encapsulate the logic necessary to interface Mixer with a specific infrastructure backend.

  • Templates define the schema for specifying request mapping from attributes to adapter inputs.A given adapter may support any number of templates.

Handlers

Adapters encapsulate the logic necessary to interface Mixer with specific external infrastructurebackends such as Prometheus or Stackdriver.A handler is a resource responsible for holding the configuration state needed by an adapter. For example, alogging adapter may require the IP address and port of the log collection backend.

Here is an example showing how to create a handler for an adapter. The listchecker adapter checks an input value against a list.If the adapter is configured for a whitelist, it returns success if the input value is found in the list.

  1. apiVersion: config.istio.io/v1alpha2
  2. kind: handler
  3. metadata:
  4. name: staticversion
  5. namespace: istio-system
  6. spec:
  7. compiledAdapter: listchecker
  8. params:
  9. providerUrl: http://white_list_registry/
  10. blacklist: false

The schema of the data in the params stanza depends on the specific adapter being configured.

Some adapters implement functionality that goes beyond connecting Mixer to a backend.For example, the prometheus adapter consumes metrics and aggregates them as distributions or counters in a configurable way.

  1. apiVersion: config.istio.io/v1alpha2
  2. kind: handler
  3. metadata:
  4. name: promhandler
  5. namespace: istio-system
  6. spec:
  7. compiledAdapter: prometheus
  8. params:
  9. metrics:
  10. - name: request_count
  11. instance_name: requestcount.instance.istio-system
  12. kind: COUNTER
  13. label_names:
  14. - destination_service
  15. - destination_version
  16. - response_code
  17. - name: request_duration
  18. instance_name: requestduration.instance.istio-system
  19. kind: DISTRIBUTION
  20. label_names:
  21. - destination_service
  22. - destination_version
  23. - response_code
  24. buckets:
  25. explicit_buckets:
  26. bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]

Each adapter defines its own particular format of configuration data. Learn more about the full set ofadapters and their specific configuration formats.

Instances

Instance configuration specifies the request mapping from attributes to adapter inputs.The following is an example of a metric instance configuration that produces the requestduration metric.

  1. apiVersion: config.istio.io/v1alpha2
  2. kind: instance
  3. metadata:
  4. name: requestduration
  5. namespace: istio-system
  6. spec:
  7. compiledTemplate: metric
  8. params:
  9. value: response.duration | "0ms"
  10. dimensions:
  11. destination_service: destination.service.host | "unknown"
  12. destination_version: destination.labels["version"] | "unknown"
  13. response_code: response.code | 200
  14. monitored_resource_type: '"UNSPECIFIED"'

Note that all the dimensions expected in the handler configuration are specified in the mapping.Templates define the specific required content of individual instances. Learn more about the set oftemplates and their specific configuration formats.

Rules

Rules specify when a particular handler is invoked with a specific instance.Consider an example where you want to deliver the requestduration metric to the prometheus handler ifthe destination service is service1 and the x-user request header has a specific value.

  1. apiVersion: config.istio.io/v1alpha2
  2. kind: rule
  3. metadata:
  4. name: promhttp
  5. namespace: istio-system
  6. spec:
  7. match: destination.service.host == "service1.ns.svc.cluster.local" && request.headers["x-user"] == "user1"
  8. actions:
  9. - handler: promhandler
  10. instances: [ requestduration ]

A rule contains a match predicate expression and a list of actions to perform if the predicate is true.An action specifies the list of instances to be delivered to a handler.A rule must use the fully qualified names of handlers and instances.If the rule, handlers, and instances are all in the same namespace, the namespace suffix can be elided fromthe fully qualified name as seen in promhandler.

See also

Observability

Describes the telemetry and monitoring features provided by Istio.

Mixer and the SPOF Myth

Improving availability and reducing latency.

Mixer Adapter Model

Provides an overview of Mixer's plug-in architecture.

Monitoring and Policies for TLS Egress

Describes how to configure SNI monitoring and apply policies on TLS egress traffic.

App Identity and Access Adapter

Using Istio to secure multi-cloud Kubernetes applications with zero code changes.

Collecting Logs

This task shows you how to configure Istio to collect and customize logs.