Describe config scopes and refresh the what-is-istio topic.

Author: Martin Taillefer

community/index.html

@@ -12,7 +12,7 @@
             <div class="community col-lg-9 col-md-10 col-sm-12">
                 <section class="lead">
                     <p>
-                    Istio has an active community that supports its use and on-going development. We'd love for you
+                    Istio is an open source project with an active community that supports its use and on-going development. We'd love for you
                     to join us and get involved!
                     </p>
                 </section>

docs/concepts/mixer-config.md

@@ -9,7 +9,7 @@ type: markdown
 
 {% capture overview %}
 
-This page describes the Istio mixer's configuration model.
+This page describes Mixer's configuration model.
 
 {% endcapture %}
 
@@ -346,9 +346,66 @@ The different descriptor types are detailed in *TBD*
 
 An Istio deployment can be responsible for managing a large number of services. Organizations
 often have dozens or hundreds of interacting services, and Istio's mission is to make it easy to
-manage them all.
+manage them all. Mixer's configuration model is designed to support different operators to
+manage different parts of an Istio deployment without stepping on each other's feet, and allowing
+them to have control over their areas, but not other's.
 
-*TBD*
+Here's how this all works:
+
+- The various chunks of configuration described in the previous sections (adapters, aspects, and descriptors) are always declared 
+within the context of a hierarchy.
+ 
+- The hierarchy is represented by DNS-style dotted names. Like DNS, the hierarchy starts with the rightmost element in
+the dotted name.
+ 
+- Each chunk of configuration is associated with a *scope* and a *subject* which are both dotted names 
+representing locations within the hierarchy:
+
+  - A scope represents the authority that created the chunk of configuration. Authorities
+  higher up in the hierarchy are more powerful than those lower in the tree.
+  
+  - The subject represents the location of the chunk of state within the hierarchy. The subject
+  is necessarily always at or below the level of the scope within the hierarchy.
+
+- If multiple chunks of config have the same subject, within the matching set, chunks which are associated with a higher 
+scope higher in the hierarchy always take precedence.
+
+The individual elements that make up the hierarchy depend on the specifics of the Istio deployment.
+A Kubernetes deployment likely uses Kubernetes namespaces as the hierarchy against which Istio configuration
+state is deployed. For example, a valid scope might be `svc.cluster.local` while a subject might be
+`myservice.ns.svc.cluster.local`
+
+The scoping model is designed to pair up with an access control model to constrain which human is allowed to
+create chunks of configuration for particular scopes. Operators which have the authority to create
+chunks at a scope higher in the hierarchy can impact all configuration associated with lower scopes. Although this is the design
+intent, Mixer configuration doesn't yet support access control on its configuration so there are no actual constraints on which
+operator can manipulate which scope.
+
+#### Resolution
+
+When a request arrives, Mixer goes through a number of [request processing phases](./mixer.md#request-phases).
+The Resolution phase is concerned with identifying the exact chunks of configuration to use in order to
+process the incoming request. For example, a request arriving at Mixer for service A likely has some configuration differences
+with requests arriving for service B. Resolution is about deciding which config to use for a request.
+
+Resolution depends on a well-known attribute to guide its choice, a so-called *identity attribute*.
+The value of this attribute is a dotted name which determines where the mixer begins to look in the
+hierarchy for blocks of configuration to use for the request.
+
+Here's how it all works:
+
+1. A request arrives and Mixer extracts the value of the identity attribute and produces the current
+lookup value.
+
+2. Mixer looks for all chunks of configuration whose subject matches the lookup value.
+
+3. If Mixer finds multiple chunks that match, it keeps only the chunk that has the highest scope.
+
+4. Mixer truncates the lowest element from the lookup value's dotted name. If the lookup value is
+not empty, then Mixer goes back to step 2 above.
+
+All the configs found in this process are combined together to form the final total set of configuration that is used to
+evaluate the current request.
 
 ### Manifests
 
@@ -381,10 +438,6 @@ manifests:
         value_type: STRING
       response.code:
         value_type: INT64
-      api.method:
-        value_type: STRING
-      api.name:
-        value_type: STRING
 ```
 
 ## Configuration API

docs/concepts/what-is-istio.md

@@ -1,53 +1,89 @@
 ---
-title: Architecture
-headline: Architecture
+title: What is Istio?
+headline: What is Istio?
 sidenav: doc-side-concepts-nav.html
 bodyclass: docs
 layout: docs
 type: markdown
 ---
 
 {% capture overview %}
-The page explains in broad terms the major components of the Istio service mesh design.
+This page introduces Istio, a polyglot service mesh.
 {% endcapture %}
 
 {% capture body %}
-## The proxy
-
-The Istio proxy is designed to mediate inbound and outbound
-traffic for all Istio-managed services. The Istio proxy is based on
-[Envoy](https://lyft.github.io/envoy/). Istio leverages Envoy's features
-such as dynamic service discovery, load balancing, TLS termination, HTTP/2 & gRPC
-proxying, circuit breakers, health checks, staged rollouts with %-based
-traffic split, fault injection, and a rich set of metrics. In addition,
-Istio extends the proxy to interact with the mixer to enforce various
-access control policies rate limiting, ACLs, as well as telemetry
-reporting.
-
-## The mixer
-
-The Istio mixer is responsible for enforcing access control
-and usage policies across the service mesh and collects telemetry data from
-proxies and istio-managed services alike. The Istio proxy extracts request
-level attributes that are then evaluated by the mixer. More info on the
-attribute extraction and policy evaluation can be found
-[here]({{site.baseurl}}/docs/reference/attribute-vocabulary.html). The mixer
-includes a flexible plugin model enabling
-it to interface to a variety of host environments and configured backends,
-abstracting the proxy and Istio-managed services from these details.
-
-## The manager
-
-The Istio manager serves as an interface between the user
-and Istio, collecting configuration, validating it and propagating it to
-various components. It abstracts platform-specific implementation details
-from the mixer and proxies, providing them with an
-[abstract representation](model.md) of user's services that is independent
-of the underlying platform. In addition, [traffic management rules](../reference/rule-dsl.md)
-(i.e. generic layer-4 rules and layer-7 HTTP/gRPC routing rules)
-can be programmed at runtime via the Istio Manager.
+
+## Context & Overview
+
+As monolithic applications transition towards a distributed microservice architecture they become more difficult to manage and understand. These architectures need basic necessities such as discovery, load balancing, failure recovery, metrics and monitoring, and more complex operational requirements such as A/B testing, canary releases, rate limiting, access control, and end-to-end authentication. The term service mesh is used to describe the network of microservices that make up applications and the interactions between them. As the service mesh grows in size and complexity, it becomes harder to understand and manage.
+
+Istio provides a complete solution to satisfying these diverse requirements of microservice applications, by providing developers and operators with behavioral insights and operational control over the service mesh as a whole. Istio does this by providing a number of key capabilities uniformly across the network of services:
+
+Traffic management - Control the flow of traffic and API calls between services, make calls more reliable and make the network more robust in the face of adverse conditions.
+Observability - Gain understanding of the dependencies between services, the nature and flow of traffic between them and be able to quickly identify issues.
+Policy enforcement - Apply organizational policy to the interaction between services, ensure access policies are enforced and resources are fairly distributed among consumers. Policy changes are made by configuring the mesh, not by changing application code.
+Service identity and security - Provide services in the mesh with a verifiable identity [link] and provide the ability to protect [link] service traffic as it flows over networks of varying degrees of trustability.
+
+In addition to these behaviors, Istio is designed for extensibility to meet diverse deployment needs:
+
+Platform support - Istio is designed to run in a variety of environments including ones that span Cloud, on-premise, Kubernetes, Mesos etc. We’re initially focused on Kubernetes but are working to support other environments soon.
+Integration & Customization - The policy enforcement component can be extended [link] and customized [link] to integrate with existing solutions for ACLs, logging, monitoring, quotas, auditing and more.
+
+These capabilities greatly decrease the coupling between application code, the underlying platform and policy. This decreased coupling not only makes services easier to implement but also makes it simpler for operators to move application deployments between environments or to new policy schemes. Applications become inherently more portable as a result.
+
+Istio’s service mesh is logically split into a data plane and a control plane. The data plane is composed of a set of intelligent (http|grpc|tcp|udp) proxies deployed as sidecars that mediate and control all network communication between microservices. The control plane is responsible for managing and configuring proxies to route traffic, as well as enforce policies at runtime. 
+
+## Design Goals
+Istio’s architecture is informed by a few key design goals that are essential to making the system capable of dealing with services at scale and with high performance.
+
+### Maximize transparency
+To adopt Istio an operator or developer should be required to do the minimum amount of work possible to get real value from the system. To this end Istio can automatically inject itself into all the network paths between services. Istio uses sidecar proxies to capture traffic and where possible automatically program the networking layer to route traffic through those proxies without any changes to the deployed application code. In Kubernetes the proxies are injected into pods and traffic is captured by programming iptables rules. Once the sidecar proxies are injected and traffic routing is programmed Istio is able to mediate all traffic.
+
+This principle also applies to performance. When applying Istio to a deployment operators should see a minimal increase in resource costs for the functionality being provided. Components and APIs must all be designed with performance and scale in mind.
+
+### Incrementality
+As operators and developers become more dependent on the functionality that Istio provides, the system must grow with their needs. While we expect to continue adding new features ourselves, we expect the greatest need will be the ability to extend the policy system, to integrate with other sources of policy and control and to propagate signals about mesh behavior to other systems for analysis. The policy runtime supports a standard extension mechanism for plugging in other services. In addition it allows for the extension of its vocabulary [[link]] to allow policies to be enforced based on new signals that the mesh produces. 
+2.3 Portability
+The ecosystem in which Istio will be used varies along many dimensions. Istio must run on any cloud or on-prem environment with minimal effort. The task of porting Istio-based services to new environments should be trivial, and it should be possible to operate a single service deployed into multiple environments (on multiple clouds for redundancy for example) using Istio.
+
+### Policy Uniformity
+The application of policy to API calls between services provides a great deal of control over mesh behavior but it can be equally important to apply policies to resources which are not necessarily expressed at the API level. For example applying quota to the amount of CPU consumed by an ML training task is more useful than applying quota to the call which initiated the work. To this end the policy system is maintained as a distinct service with its own API rather than being baked into the proxy, allowing services to directly integrate with it as needed.
+
+## High-Level Architecture
 
 <img src="{{site.baseurl}}/img/arch.svg" alt="The overall architecture of an Istio-based service." />
+
+### The Sidecar Model
+
+As monolithic applications are decomposed into a distributed system of microservices that scale dynamically, classic distributed system problems such as service discovery, load balancing, and failure recovery become increasingly import to solve uniformly. As the application gains more agility, it transitions towards a process wherein updates are made to different parts of the application at different times. Developers need the ability to experiment with different features in production, or deploy canary releases, without impacting the system as a whole. Operators need to enforce organization-wide policies, such as global rate limits, ACLs, etc., without requiring updates to each microservice.
+
+Today, these problems are tackled piecemeal within the industry. Language-specific libraries, such as Ribbon/Hystrix from Netflix’s OSS stack, are used to satisfy basic necessities such as discovery, load balancing and circuit breaking. In a polyglot application, organizations need to maintain language-specific libraries for every language being used, dramatically increasing the maintenance cost.
+
+A host of API management tools are typically bolted onto the edge of the infrastructure to provide subscription, metering, API metrics monitoring, rate limiting, etc. Continuous delivery and experimentation of new features in production is restricted to edge services using an edge proxy (e.g., Zuul/Nginx). Policy enforcement between mid-tier services is difficult or impossible as libraries provide little control over how traffic flows between microservices.
+
+Compared to using language-specific libraries, the out-of-process transparent proxy approach has a much lower maintenance overhead. A single proxy implementation can be shared across all services in an organization. This single  implementation can be optimized for performance while providing a variety of functions beneficial to all services in the application. It eliminates the need for applications to be rebuilt whenever new functionality is available. Support for continuous delivery, policy enforcement, and in-depth monitoring of service health can be engineered into the proxy and leveraged across different services (edge & middle-tier) with minimal effort on behalf of the application developer.  As the proxy can act as both an edge proxy as well as a middle-tier router, middle-tier services can also take advantage of the continuous delivery and policy enforcement features provided. By offloading all aspects of communication, failure recovery, and policy enforcement to the proxy, the application logic is dramatically simplified.
+
+### Envoy
+
+Istio uses the Envoy proxy, a high-performance proxy developed in C++, to mediate all inbound and outbound traffic for all services in the service mesh. Istio leverages Envoy’s many built-in features such as dynamic service discovery, load balancing, TLS termination, HTTP/2 & gRPC proxying, circuit breakers, health checks, staged rollouts with %-based traffic split, fault injection, and rich metrics. In addition, Istio extends Envoy to interact with Mixer to enable policy enforcement and to report telemetry.
+
+### Mixer
+
+Mixer is responsible for enforcing access control and usage policies across the service mesh and collects telemetry data from the Envoy proxy and other services. The proxy extracts request level attributes which are sent to Mixer for evaluation. More information on the attribute extraction and policy evaluation can be found here. Mixer includes a flexible plugin model enabling it to interface with a variety of host environments and backends, abstracting the proxy and Istio-managed services from these details.
+
+### Istio Manager
+
+The Manager serves as an interface between the user and Istio, collecting and validating configuration and propagating it to the various Istio components. It abstracts environment-specific implementation details from the Mixer and Proxy, providing them with an abstract representation of the user’s services that is independent of the underlying platform. In addition, traffic management rules (i.e. generic layer-4 rules and layer-7 HTTP/gRPC routing rules) can be programmed at runtime via the Istio Manager.
+
+### Istio Auth
+
+Istio supports strong service-to-service and end-user authentication using mutual TLS, with built-in identity and credential management. Istio Auth can be used to upgrade unencrypted traffic in the service mesh, and provides operators the ability to enforce policy based on service identity, rather than network controls.
+Future releases of Istio will add fine-grained access control and auditing to control and monitor who accesses your service, api, or resource, using a variety of access control mechanisms, including attribute and role-based access control as well as authorization hooks.
+
+Istio Auth is responsible for securing the service-to-service communication [link] and the end-user (mobile app, browser, etc.) to service communication [tbd]. It presents a strong service-level identity [link] to allow service-to-service interoperability across clusters and clouds.
+Istio-Auth provides a key management system [link] to automate key & certificate generation, distribution, and rotation. It enables end-to-end mutual TLS between microservices without any application code change.
+Istio-Auth provides fine-grained access control and auditing at different levels to control and monitor who accesses your service, api, and resource. It supports a variety of access control mechanisms, including attribute- and role-based access control as well as authorization hook [tbd].
+
 {% endcapture %}
 
 {% include templates/concept.md %}

docs/tasks/index.md

@@ -11,20 +11,20 @@ type: markdown
 Tasks show you how to do a single specific targeted
 activity with the Istio system.
 
-- [Installion](./istio-installation.html). This task shows you how to
-  setup Istio service mesh.
+- [Installation](./istio-installation.html). This task shows you how to
+  setup the Istio service mesh.
 
 - [Integrating Services into the Mesh](./integrating-services-into-istio.html). This task shows you how to
-  integrate your applications with Istio service mesh.
+  integrate your applications with the Istio service mesh.
 
 - [Configuring Ingress/Egress with Envoy](./ingress-egress-envoy.html). This task shows you how to
-  setup the Istio Ingress controller and the Egress proxy.
+  setup the Istio ingress controller and the egress proxy.
 
 - [Adding Resilience Features](./resilience-features.html). This task shows you how to
-  setup timeouts, retries and circuit breakers.
+  setup timeouts, retries, and circuit breakers.
 
 - [Configuring Request Routing](./request-routing.html). This task shows you how to
-  configure dynamic request routing based on weights and http headers.
+  configure dynamic request routing based on weights and HTTP headers.
 
 - [Fault Injection](./fault-injection.html). This task shows how to
   inject failures into your application.
@@ -33,8 +33,8 @@ activity with the Istio system.
   setup Istio-Auth to provide mutual TLS authentication between services.
 
 - [Collecting Metrics and Logs](./metrics-logs.html). This task shows you how to
-  configure the Istio Mixer to collect metrics and logs from Envoys in
+  configure Mixer to collect metrics and logs from Envoy instances in
   every Pod.
 
 - [Configuring Mixer](./configuring-mixer.html). This task shows you how to
-  configure the Mixer.
+  configure Mixer.