Styra's Declarative Authorization Service works with Kubernetes APIs to provide desired-state security. Styra allows you to define policy before runtime, allowing teams to define, enforce, and validate security with no black-boxes, additional servers, or complex configuration. Using Styra DAS, On-Premise customers can install and configure Styra On-premise on different environments.
The following requirements must be met in order to install Styra On-premise on a variety of Kubernetes environments:
Version Compatibility Matrix
The format of version number is
For example, version
v1.20.xrepresents the following:
v = prefix denoting version
R = 1
V = 20
x is a placeholder variable to denote compatibility with all bug fixes or enhancement releases)
R: Release represents the modifications or enhancements to the same product as designated by a change in the
R release number. The
R release may include new or breaking changes.
V: Version represents the modifications or enhancements to the same product as designated by a change in the
V release number.
M: Minor represents the bug fixes and new enhancements to the same product as designated by a change in the patch release number.
Table 1 shows the DAS versions that are compatible with the Istio versions for the purpose of support.
Table 1: Supported Istio Versions
|DAS||Istio v1.8.x||Istio v1.9.x|
Table 2 shows the Kubernetes versions that are compatible with the on-prem-v0.4.x for the purpose of support.
Table 2: Supported On-Prem-v0.4.x
To estimate the storage requirements, the system is tested with five Kubernetes clusters running the Styra OPA agents and it generates approximately 800 decisions every second.
To run the minimum number of Styra OPA agents, 128GB of storage was utilized to store 14 days of decisions.
Styra recommends you to use the storage allocated to Postgres between the range of 250GB and 500GB.
DAS uses Elasticsearch to maintain a search index of policy decisions uploaded by OPA. The sizing of the Elasticsearch installation is therefore a problem of determining the volume of decisions OPA instances upload, in average.
The approximate formula to estimate the total available disk space required to maintain the index:
# of days indexed * # of decisions per day * average size of single decision * overhead factor
By default, DAS maintains the index for 3 days, but since the cleaning takes place once a day, transiently DAS may store decisions for one extra day. # of decisions per day is largely dependent on the OPAs connected to DAS, as is the average size of a single decision JSON document. Overhead factor is due to the replication and indexing overhead of Elasticsearch itself. Styra recommends an overhead multiplier of 5 for extra safety.
For example, assume the following:
The default of 3 days of log retention is used. That means transiently DAS will maintain 4 days worth of decisions.
OPAs connected produce 100 decisions (in total) per second, for example, 8.64 million per day.
Each decision JSON document uploaded by OPA takes 2048 bytes in average.
Overhead factor of 5.
Therefore, in this example, the total space required to maintain the indices is approximately:
4 * 8640000 * 2048 * 5 = 330GB.
The Styra DAS software can be installed in any namespace, the installation instructions do not make any assumption about namespace.
Computing and Networking
The following shows the computing and networking requirements:
Kubernetes 1.11 or later.
32 GB memory.
Access to a Container Registry.
(Optional) Access to an SMTP server.
A Load Balancer (LB) or Ingress to expose the Styra DAS endpoint.
Recommendation: A TLS certificate for the load balancer or Ingress to configure HTTPS.