diff --git a/content/en/docs/concepts/policies/index.md b/content/en/docs/concepts/policies/index.md deleted file mode 100644 index 357a74c98b..0000000000 --- a/content/en/docs/concepts/policies/index.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Policies -description: Describes Istio's policy management functionality. -weight: 30 -keywords: [policy,policies] ---- - -Istio lets you configure custom policies for your application to enforce rules at runtime such as: - -- Rate limiting to dynamically limit the traffic to a service -- Denials, whitelists, and blacklists, to restrict access to services -- Header rewrites and redirects - -Istio also lets you create your own [policy adapters](/docs/tasks/policy-enforcement/control-headers) to add, for example, your own custom authorization behavior. - -You must [enable policy enforcement](/docs/tasks/policy-enforcement/enabling-policy) for your mesh to use this feature. diff --git a/content/en/docs/concepts/security/index.md b/content/en/docs/concepts/security/index.md index 28a513508e..8f52155575 100644 --- a/content/en/docs/concepts/security/index.md +++ b/content/en/docs/concepts/security/index.md @@ -9,6 +9,7 @@ aliases: - /docs/concepts/security/mutual-tls/ - /docs/concepts/security/rbac/ - /docs/concepts/security/mutual-tls.html + - /docs/concepts/policies/ --- Breaking down a monolithic application into atomic services offers various benefits, including better agility, better scalability @@ -818,9 +819,3 @@ the authorization policy: Mutual TLS is not required if you don't use any of the above fields in the authorization policy. - -### Using other authorization mechanisms - -While we strongly recommend using the Istio authorization mechanisms, -Istio is flexible enough to allow you to plug in your own authentication and authorization mechanisms via the Mixer component. -To use and configure plugins in Mixer, visit our [policies and telemetry adapters docs](/docs/reference/config/policy-and-telemetry/adapters). diff --git a/content/en/docs/concepts/what-is-istio/index.md b/content/en/docs/concepts/what-is-istio/index.md index d959d8efbf..dc9248e3f0 100644 --- a/content/en/docs/concepts/what-is-istio/index.md +++ b/content/en/docs/concepts/what-is-istio/index.md @@ -74,18 +74,6 @@ secure {{}}pod{{}}-to-pod or service-to-service communication at Refer to the [Security concepts guide](/docs/concepts/security/) for more details. -### Policies - -Istio lets you configure custom policies for your application to enforce rules at runtime such as: - -* Rate limiting to dynamically limit the traffic to a service -* Denials, whitelists, and blacklists, to restrict access to services -* Header rewrites and redirects - -Istio also lets you create your own [policy adapters](/docs/tasks/policy-enforcement/control-headers) to add, for example, your own custom authorization behavior. - -Refer to the [Policies concepts guide](/docs/concepts/policies/) for more details. - ### Observability Istio’s robust tracing, monitoring, and logging features give you deep insights into your service mesh deployment. Gain a real understanding of how service performance diff --git a/content/en/docs/tasks/policy-enforcement/control-headers/index.md b/content/en/docs/tasks/policy-enforcement/control-headers/index.md index c952188265..c17f318daf 100644 --- a/content/en/docs/tasks/policy-enforcement/control-headers/index.md +++ b/content/en/docs/tasks/policy-enforcement/control-headers/index.md @@ -1,10 +1,18 @@ --- -title: Control Headers and Routing +title: Control Headers and Routing (Deprecated) description: Shows how to modify request headers and routing using policy adapters. weight: 20 keywords: [policies,routing] --- +{{< warning >}} +The mixer policy is deprecated in Istio 1.5 and not recommended for production usage. + +Consider using Envoy [`ext_authz` filter](https://www.envoyproxy.io/docs/envoy/v1.13.0/intro/arch_overview/security/ext_authz_filter), +[`lua` filter](https://www.envoyproxy.io/docs/envoy/v1.13.0/configuration/http/http_filters/lua_filter), +or write a filter using the [`Envoy-wasm` sandbox](https://github.com/envoyproxy/envoy-wasm/tree/master/test/extensions/filters/http/wasm/test_data). +{{< /warning >}} + This task demonstrates how to use a policy adapter to manipulate request headers and routing. ## Before you begin diff --git a/content/en/docs/tasks/policy-enforcement/denial-and-list/index.md b/content/en/docs/tasks/policy-enforcement/denial-and-list/index.md index 2fb771d463..7bb87a494f 100644 --- a/content/en/docs/tasks/policy-enforcement/denial-and-list/index.md +++ b/content/en/docs/tasks/policy-enforcement/denial-and-list/index.md @@ -1,5 +1,5 @@ --- -title: Denials and White/Black Listing +title: Denials and White/Black Listing (Deprecated) description: Shows how to control access to a service using simple denials or white/black listing. weight: 20 keywords: [policies,denial,whitelist,blacklist] @@ -9,6 +9,13 @@ aliases: - /docs/tasks/security/secure-access-control/index.html --- +{{< warning >}} +The mixer policy is deprecated in Istio 1.5 and not recommended for production usage. + +Please use the [Authorization Policy](/docs/concepts/security/#authorization) for +enforcing access control to a workload. +{{< /warning >}} + This task shows how to control access to a service using simple denials, attribute-based white or black listing, or IP-based white or black listing. ## Before you begin diff --git a/content/en/docs/tasks/policy-enforcement/enabling-policy/index.md b/content/en/docs/tasks/policy-enforcement/enabling-policy/index.md index ee0752c484..ecf3621ebf 100644 --- a/content/en/docs/tasks/policy-enforcement/enabling-policy/index.md +++ b/content/en/docs/tasks/policy-enforcement/enabling-policy/index.md @@ -1,10 +1,24 @@ --- -title: Enabling Policy Enforcement +title: Enabling Policy Enforcement (Deprecated) description: This task shows you how to enable Istio policy enforcement. weight: 1 keywords: [policies] --- +{{< warning >}} +The mixer policy is deprecated in Istio 1.5 and not recommended for production usage. + +* Rate limiting: Consider using [Envoy native rate limiting](https://www.envoyproxy.io/docs/envoy/v1.13.0/intro/arch_overview/other_features/global_rate_limiting) +instead of mixer rate limiting. Istio will add support for native rate limiting API through the Istio extensions API. + +* Control headers and routing: Consider using Envoy [`ext_authz` filter](https://www.envoyproxy.io/docs/envoy/v1.13.0/intro/arch_overview/security/ext_authz_filter), +[`lua` filter](https://www.envoyproxy.io/docs/envoy/v1.13.0/configuration/http/http_filters/lua_filter), +or write a filter using the [`Envoy-wasm` sandbox](https://github.com/envoyproxy/envoy-wasm/tree/master/test/extensions/filters/http/wasm/test_data). + +* Denials and White/Black Listing: Please use the [Authorization Policy](/docs/concepts/security/#authorization) for +enforcing access control to a workload. +{{< /warning >}} + This task shows you how to enable Istio policy enforcement. ## At install time diff --git a/content/en/docs/tasks/policy-enforcement/rate-limiting/index.md b/content/en/docs/tasks/policy-enforcement/rate-limiting/index.md index 4bc8276554..0c450a4166 100644 --- a/content/en/docs/tasks/policy-enforcement/rate-limiting/index.md +++ b/content/en/docs/tasks/policy-enforcement/rate-limiting/index.md @@ -1,5 +1,5 @@ --- -title: Enabling Rate Limits +title: Enabling Rate Limits (Deprecated) description: This task shows you how to use Istio to dynamically limit the traffic to a service. weight: 10 keywords: [policies,quotas] @@ -7,6 +7,13 @@ aliases: - /docs/tasks/rate-limiting.html --- +{{< warning >}} +The mixer policy is deprecated in Istio 1.5 and not recommended for production usage. + +Consider using [Envoy native rate limiting](https://www.envoyproxy.io/docs/envoy/v1.13.0/intro/arch_overview/other_features/global_rate_limiting) +instead of mixer rate limiting. Istio will add support for native rate limiting API through the Istio extensions API. +{{< /warning >}} + This task shows you how to use Istio to dynamically limit the traffic to a service.