istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.3/faq/mixer/index.html

129 lines
22 KiB
HTML
Raw Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Mixer FAQ"><meta name=description content="Mixer Q &amp; A."><meta name=keywords content=microservices,services,mesh><meta property=og:title content="Mixer FAQ"><meta property=og:type content=website><meta property=og:description content="Mixer Q &amp; A."><meta property=og:url content=/v1.3/faq/mixer/><meta property=og:image content=/v1.3/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.3 / Mixer FAQ</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.3/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.3/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.3/feed.xml><link rel="shortcut icon" href=/v1.3/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.3/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.3/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.3/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.3/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.3/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.3/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.3/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.3/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.3/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.3/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.3/css/all.css><script src=/v1.3/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.3";const docTitle="Mixer FAQ";const iconFile="\/v1.3/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.3/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.3/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.3</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.3/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.3/blog/2019/proxy/>Blog</a>
<a title="Timely news about the Istio project." href=/v1.3/news/2019/announcing-1.2-eol/>News</a>
<span title="Frequently Asked Questions about Istio.">FAQ</span>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.3/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/faq\/mixer\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/faq\/mixer\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.3/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class="primary notoc"><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><div id=header0 class=header title="Frequently Asked Questions about Istio."><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#faq"/></svg>FAQ</div><div class="body default" aria-labelledby=header0><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=header0><li role=none><a role=treeitem title="General Q &amp; A." href=/v1.3/faq/general/>General</a></li><li role=none><a role=treeitem title="Setup Q &amp; A." href=/v1.3/faq/setup/>Setup</a></li><li role=none><a role=treeitem title="Security Q &amp; A." href=/v1.3/faq/security/>Security</a></li><li role=none><span role=treeitem class=current title="Mixer Q &amp; A.">Mixer</span></li><li role=none><a role=treeitem title="Metrics and Logs Q &amp; A." href=/v1.3/faq/metrics-and-logs/>Metrics and Logs</a></li><li role=none><a role=treeitem title="Distributed Tracing Q &amp; A." href=/v1.3/faq/distributed-tracing/>Distributed Tracing</a></li><li role=none><a role=treeitem title="Traffic Management Q &amp; A." href=/v1.3/faq/traffic-management/>Traffic Management</a></li></ul></div></div></div></nav></div><div class=article-container><nav aria-label=Breadcrumb><ol><li><a href=/v1.3/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.3/faq/ title="Frequently Asked Questions about Istio.">FAQ</a></li><li>Mixer</li></ol></nav><article aria-labelledby=title><div class=title-area><i class=title-icon><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#faq"/></svg></i><div><h1 id=title>Mixer FAQ</h1></div></div><nav class="toc-inlined toc-forced"><hr><div class=directory role=directory><nav id=InlineTableOfContents><ol><li role=none aria-label="Why does Istio need Mixer?"><a href=#why-mixer>Why does Istio need Mixer?</a></li><li role=none aria-label="How do I see all Mixer's configuration?"><a href=#seeing-mixer-config>How do I see all Mixer&#39;s configuration?</a></li><li role=none aria-label="What is the full set of attribute expressions Mixer supports?"><a href=#attribute-expressions>What is the full set of attribute expressions Mixer supports?</a></li><li role=none aria-label="Does Mixer provide any self-monitoring?"><a href=#mixer-self-monitoring>Does Mixer provide any self-monitoring?</a></li><li role=none aria-label="How can I write a custom adapter for Mixer?"><a href=#writing-custom-adapters>How can I write a custom adapter for Mixer?</a></li><li role=none aria-label="Why does my rule not match?"><a href=#header-rules>Why does my rule not match?</a></li></ol></nav></div><hr></nav><div class=faq><h5 id=why-mixer class=question>Why does Istio need Mixer?</h5><div class=answer><p>Mixer provides a rich intermediation layer between the Istio components as well as Istio-based services,
and the infrastructure backends used to perform access control checks and telemetry capture. This
layer enables operators to have rich insights and control over service behavior without requiring
changes to service binaries.</p><p>Mixer is designed as a stand-alone component, distinct from Envoy. This has numerous benefits:</p><ul><li><p><em>Scalability</em>.
The work that Mixer and Envoy do is very different in nature, leading to different scalability
requirements. Keeping the components separate enables independent component-appropriate scaling.</p></li><li><p><em>Resource Usage</em>.
Istio depends on being able to deploy many instances of its proxy, making it important to minimize the
cost of each individual instance. Moving Mixer&rsquo;s complex logic into a distinct component makes it
possible for Envoy to remain svelte and agile.</p></li><li><p><em>Reliability</em>.
Mixer and its open-ended extensibility model represents the most complex parts of the
data path processing pipeline. By hosting this functionality in Mixer rather than Envoy,
it creates distinct failure domains which enables Envoy to continue operating even if Mixer
fails, preventing outages.</p></li><li><p><em>Isolation</em>.
Mixer provides a level of insulation between Istio and the infrastructure backends. Each Envoy instance can be configured to have a
very narrow scope of interaction, limiting the impact of potential attacks.</p></li><li><p><em>Extensibility</em>.
It was imperative to design a simple extensibility model to allow Istio to interoperate
with as widest breath of backends as possible. Due to its design and language choice, Mixer is inherently
easier to extend than Envoy is. The separation of concerns also makes it possible to use
Istio policy and telemetry processing with different proxies, just as a mix of Envoy and NGINX.</p></li></ul><p>Envoy implements sophisticated caching, batching, and prefetching, to largely mitigate the
latency impact of needing to interact with Mixer on the request path.</p></div><h5 id=seeing-mixer-config class=question>How do I see all Mixer&#39;s configuration?</h5><div class=answer><p>Configuration for <em>instances</em>, <em>handlers</em>, and <em>rules</em> is stored as Kubernetes
<a href=https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/>Custom Resources</a>.
Configuration may be accessed by using <code>kubectl</code> to query the Kubernetes
API server for the resources.</p><h2 id=rules>Rules</h2><p>To see the list of all rules, execute the following:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get rules --all-namespaces
NAMESPACE NAME AGE
istio-system kubeattrgenrulerule 20h
istio-system promhttp 20h
istio-system promtcp 20h
istio-system stdiohttp 20h
istio-system stdiotcp 20h
istio-system tcpkubeattrgenrulerule 20h
</code></pre><p>To see an individual rule configuration, execute the following:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n &lt;namespace&gt; get rules &lt;name&gt; -o yaml
</code></pre><h2 id=handlers>Handlers</h2><p>Handlers are defined based on Kubernetes <a href=https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions>Custom Resource
Definitions</a>
for adapters.</p><p>First, identify the list of adapter kinds:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get crd -listio=mixer-adapter
NAME AGE
adapters.config.istio.io 20h
bypasses.config.istio.io 20h
circonuses.config.istio.io 20h
deniers.config.istio.io 20h
fluentds.config.istio.io 20h
kubernetesenvs.config.istio.io 20h
listcheckers.config.istio.io 20h
memquotas.config.istio.io 20h
noops.config.istio.io 20h
opas.config.istio.io 20h
prometheuses.config.istio.io 20h
rbacs.config.istio.io 20h
servicecontrols.config.istio.io 20h
signalfxs.config.istio.io 20h
solarwindses.config.istio.io 20h
stackdrivers.config.istio.io 20h
statsds.config.istio.io 20h
stdios.config.istio.io 20h
</code></pre><p>Then, for each adapter kind in that list, issue the following command:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get &lt;adapter kind name&gt; --all-namespaces
</code></pre><p>Output for <code>stdios</code> will be similar to:</p><pre><code class=language-plain data-expandlinks=true data-repo=istio>NAMESPACE NAME AGE
istio-system handler 20h
</code></pre><p>To see an individual handler configuration, execute the following:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n &lt;namespace&gt; get &lt;adapter kind name&gt; &lt;name&gt; -o yaml
</code></pre><h2 id=instances>Instances</h2><p>Instances are defined according to Kubernetes <a href=https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions>Custom Resource
Definitions</a>
for instances.</p><p>First, identify the list of instance kinds:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get crd -listio=mixer-instance
NAME AGE
apikeys.config.istio.io 20h
authorizations.config.istio.io 20h
checknothings.config.istio.io 20h
edges.config.istio.io 20h
instances.config.istio.io 20h
kuberneteses.config.istio.io 20h
listentries.config.istio.io 20h
logentries.config.istio.io 20h
metrics.config.istio.io 20h
quotas.config.istio.io 20h
reportnothings.config.istio.io 20h
servicecontrolreports.config.istio.io 20h
tracespans.config.istio.io 20h
</code></pre><p>Then, for each instance kind in that list, issue the following command:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get &lt;instance kind name&gt; --all-namespaces
</code></pre><p>Output for <code>metrics</code> will be similar to:</p><pre><code class=language-plain data-expandlinks=true data-repo=istio>NAMESPACE NAME AGE
istio-system requestcount 20h
istio-system requestduration 20h
istio-system requestsize 20h
istio-system responsesize 20h
istio-system tcpbytereceived 20h
istio-system tcpbytesent 20h
</code></pre><p>To see an individual instance configuration, execute the following:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n &lt;namespace&gt; get &lt;instance kind name&gt; &lt;name&gt; -o yaml
</code></pre></div><h5 id=attribute-expressions class=question>What is the full set of attribute expressions Mixer supports?</h5><div class=answer><p>Please see the <a href=/v1.3/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language
Reference</a> for
the full set of supported attribute expressions.</p></div><h5 id=mixer-self-monitoring class=question>Does Mixer provide any self-monitoring?</h5><div class=answer><p>Mixer exposes a monitoring endpoint (default port: <code>10514</code>). There are a few
useful paths to investigate Mixer performance and audit
function:</p><ul><li><code>/metrics</code> provides Prometheus metrics on the Mixer process as well as gRPC
metrics related to API calls and metrics on adapter dispatch.</li><li><code>/debug/pprof</code> provides an endpoint for profiling data in <a href=https://golang.org/pkg/net/http/pprof/>pprof
format</a>.</li><li><code>/debug/vars</code> provides an endpoint exposing server metrics in JSON format.</li></ul><p>Mixer logs can be accessed via a <code>kubectl logs</code> command, as follows:</p><ul><li>For the <code>istio-policy</code> service:</li></ul><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system logs -l app=policy -c mixer
</code></pre><ul><li>For the <code>istio-telemetry</code> service:</li></ul><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system logs -l app=telemetry -c mixer
</code></pre><p>Mixer trace generation is controlled by command-line flags: <code>trace_zipkin_url</code>, <code>trace_jaeger_url</code>, and <code>trace_log_spans</code>. If
any of those flag values are set, trace data will be written directly to those locations. If no tracing options are provided, Mixer
will not generate any application-level trace information.</p></div><h5 id=writing-custom-adapters class=question>How can I write a custom adapter for Mixer?</h5><div class=answer><p>Learn how to implement a new adapter for Mixer by consulting the
<a href=https://github.com/istio/istio/wiki/Mixer-Compiled-In-Adapter-Dev-Guide>Adapter Developer&rsquo;s Guide</a>.</p><div><aside class="callout idea"><div class=type><svg class="large-icon"><use xlink:href="/v1.3/img/icons.svg#callout-idea"/></svg></div><div class=content>Istio 1.0 introduces initial support for out-of-process adapters. This will
be the recommended approach moving forward for integrating with Mixer. Initial documentation on
how to build an out-of-process adapter is provided by the
<a href=https://github.com/istio/istio/wiki/Mixer-Out-Of-Process-Adapter-Dev-Guide>Out Of Process Adapter Dev Guide</a>
and the <a href=https://github.com/istio/istio/wiki/Mixer-Out-Of-Process-Adapter-Walkthrough>Out of Process Adapter Walk-through</a>.</div></aside></div></div><h5 id=header-rules class=question>Why does my rule not match?</h5><div class=answer><p>Mixer rules must be valid to be applied at runtime. That means the match
conditions are well-defined expressions in the
<a href=/v1.3/docs/reference/config/policy-and-telemetry/expression-language/>language</a>, the attributes
are declared in an <a href=/v1.3/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>attribute
manifest</a>, and rules have
no dangling references to handlers and instances.</p><p>The attribute values are typically normalized before evaluating rules on
them. For example, HTTP headers have lowercase keys in <code>request.headers</code> and
<code>response.headers</code> attributes. An expression
<code>request.headers[&quot;X-Forwarded-Proto&quot;] == &quot;http&quot;</code> does not match any request
even though HTTP headers are case-insensitive. Instead, use an expression
<code>request.headers[&quot;x-forwarded-proto&quot;] == &quot;http&quot;</code>.</p></div></div></article><nav class=pagenav><div class=left><a title="Security Q &amp; A." href=/v1.3/faq/security/><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#left-arrow"/></svg>Security</a></div><div class=right><a title="Metrics and Logs Q &amp; A." href=/v1.3/faq/metrics-and-logs/>Metrics and Logs<svg class="icon"><use xlink:href="/v1.3/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.3.5 now" href=/v1.3/docs/setup#downloading-the-release aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.3.5<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on November 14, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink