Styra DAS Systems
Styra DAS has several pre-defined System types.
Amazon API Gateway
The Styra DAS Amazon API Gateway System manages client API requests permitted within an OPA-integrated Amazon API Gateway. For example, permit API requests only to predefined backend APIs to minimize the risk of data exfiltration and implement microservice API authorization.
Custom
The Custom System has used if your environment has no pre-defined System type. It helps you manage any other real-world Systems integrated with OPA. For example, you can govern public cloud resource configuration, control who has SSH access to a Linux server or define the authorized readers and writers of Kafka topics.
Emissary-Ingress Gateway
The Emissary-Ingress Gateway System manages the client API requests permitted within your OPA-integrated Emissary-Ingress Gateway. For example, permit API requests only to predefined backend APIs to minimize the risk of data exfiltration or implement microservice API authorization.
Entitlements
The Entitlements System provides a cloud-native Entitlements service that is easily integrated into existing applications, replicated globally, and managed and governed through a single pane of glass.
Styra DAS Entitlements System uses centralized Entitlements management systems for their Self-hosted custom applications. Entitlement Systems integrate custom applications with a separate system that handles all of the rules and regulations on behalf of the application.
Envoy
The Envoy System manages the ingress and egress network traffic permitted within your Envoy-based proxy. For example, permit egress traffic only to a predefined collection of endpoints to minimize the risk of data exfiltration or implement microservice API authorization.
Gloo Edge Gateway
The Gloo Edge System manages ingress network traffic permitted within your OPA-integrated Gloo Edge Gateway (Envoy-based API gateway). For example, permit ingress traffic only to a predefined collection of endpoints to minimize the risk of data exfiltration and implement microservice API authorization.
Istio
The Istio System manages the ingress and egress network traffic permitted within your OPA-integrated Istio service mesh. For example, permit egress traffic only to a predefined collection of endpoints to minimize the risk of data exfiltration or implement microservice API authorization.
Kong Enterprise Gateway
The Kong Enterprise Gateway System manages the client API requests permitted within your OPA-integrated Kong Enterprise Gateway. For example, permit API requests only to predefined backend APIs to minimize the risk of data exfiltration and implement microservice API authorization.
Kong Gateway
The Kong Gateway System manages the client API requests permitted within your OPA-integrated Kong Gateway. For example, permit API requests only to predefined backend APIs to minimize the risk of data exfiltration or implement microservice API authorization.
Kong Mesh
The Kong Mesh System manages the ingress and egress network traffic permitted within your OPA-integrated Kong Mesh. For example, permit egress traffic only to a predefined collection of endpoints to minimize the risk of data exfiltration or implement microservice API authorization.
Kubernetes
A cluster administrator uses the Kubernetes System to write Policies that control the resource configurations allowed to run on a cluster.
For Kubernetes, OPA integrates with the API server, ensuring that Kubernetes authoritatively enforce any Policies you put in place. Every change a user makes to a Kubernetes cluster goes through the Kubernetes API server and OPA. OPA integrates with the API server as an admission controller (either validating or mutating) so that Policies are applied on any modification (create, update, delete), and the entire Kubernetes resource is sent to OPA to decide whether the resource should be allowed onto the cluster.
Kuma
The Kuma System manages the ingress and egress network traffic permitted within your OPA-integrated Kuma Service Mesh. For example, permit egress traffic only to a predefined collection of endpoints to minimize the risk of data exfiltration or implement microservice API authorization.
Repository Scan
The Repository Scan System is a unique System that scans existing Kubernetes or Terraform configuration files stored in a Git repository hosted on a Git provider such as GitHub, Bitbucket, or Azure Git and analyzes the repository for risks. After Repo Scan analyzes the repository, Styra DAS generates a compliance report using policy libraries that identify best practice violations.
Spring Boot SDK
The Styra DAS Spring Boot SDK system can be used to manage a Spring Boot AuthorizationManager
provided by the OPA Spring Boot SDK. This can enable DAS to create and manage request authorization policies with existing Spring Boot applications which take advantage of Spring Security.
Terraform
The Terraform System puts guardrails on public cloud resources managed with Terraform. For example, you can require all S3 buckets to be encrypted on AWS to ensure your data is encrypted at rest and satisfies your compliance and security requirements.
Styra DAS also supports direct integration with Terraform Cloud and Terraform Enterprise using Terraform run tasks, which requires no infrastructure or OPA agent deployments to get up and running.