Skip to main content

Getting Started

Styra's Declarative Authorization Service works with Kubernetes APIs to provide desired-state security. Styra allows you to define policy before runtime, allowing teams to define, enforce, and validate security with no black-boxes, additional servers, or complex configuration. Using Styra DAS, On-Premise customers can install and configure Styra On-premise on different environments.

Requirements

The following requirements must be met in order to install Styra On-premise on a variety of Kubernetes environments:

Version Compatibility Matrix

The format of version number is <Release>.<Version>.<Minor>.

For example, version v1.20.xrepresents the following:

v = prefix denoting version

R = 1

V = 20

x = M (x is a placeholder variable to denote compatibility with all bug fixes or enhancement releases)

Where,

R: Release represents the modifications or enhancements to the same product as designated by a change in the R release number. The R release may include new or breaking changes.

V: Version represents the modifications or enhancements to the same product as designated by a change in the V release number.

M: Minor represents the bug fixes and new enhancements to the same product as designated by a change in the patch release number.

Table 1 shows the DAS versions that are compatible with the Istio versions for the purpose of support.

Table 1: Supported Istio Versions

DASIstio v1.8.xIstio v1.9.x
on-prem-v0.4.6YESNO
on-prem-v0.4.6.xYESYES

Table 2 shows the Kubernetes versions that are compatible with the on-prem-v0.4.x for the purpose of support.

Table 2: Supported On-Prem-v0.4.x

kuberneteson-prem-v0.4.x
v1.16.xYES
v1.17.xYES
v1.18.xYES
v1.19.xYES
v1.20.xYES

Storage Guidelines

  • To estimate the storage requirements, the system is tested with five Kubernetes clusters running the Styra OPA agents and it generates approximately 800 decisions every second.

  • To run the minimum number of Styra OPA agents, 128GB of storage was utilized to store 14 days of decisions.

important

Styra recommends you to use the storage allocated to Postgres between the range of 250GB and 500GB.

Sizing Elasticsearch

DAS uses Elasticsearch to maintain a search index of policy decisions uploaded by OPA. The sizing of the Elasticsearch installation is therefore a problem of determining the volume of decisions OPA instances upload, in average.

The approximate formula to estimate the total available disk space required to maintain the index:

# of days indexed * # of decisions per day * average size of single decision * overhead factor

By default, DAS maintains the index for 3 days, but since the cleaning takes place once a day, transiently DAS may store decisions for one extra day. # of decisions per day is largely dependent on the OPAs connected to DAS, as is the average size of a single decision JSON document. Overhead factor is due to the replication and indexing overhead of Elasticsearch itself. Styra recommends an overhead multiplier of 5 for extra safety.

For example, assume the following:

  • The default of 3 days of log retention is used. That means transiently DAS will maintain 4 days worth of decisions.

  • OPAs connected produce 100 decisions (in total) per second, for example, 8.64 million per day.

  • Each decision JSON document uploaded by OPA takes 2048 bytes in average.

  • Overhead factor of 5.

Therefore, in this example, the total space required to maintain the indices is approximately: 4 * 8640000 * 2048 * 5 = 330GB.

Namespace

The Styra DAS software can be installed in any namespace, the installation instructions do not make any assumption about namespace.

Computing and Networking

The following shows the computing and networking requirements:

  • Kubernetes 1.11 or later.

  • Six vCPU.

  • 32 GB memory.

  • Access to a Container Registry.

  • (Optional) Access to an SMTP server.

  • A Load Balancer (LB) or Ingress to expose the Styra DAS endpoint.

  • Recommendation: A TLS certificate for the load balancer or Ingress to configure HTTPS.