Skip to main content

Release Notes for Styra DAS

This page describes the release notes for Styra DAS delivered in September 2020.

Release Summary

Styra is built on the Open Policy Agent (OPA), a popular and widely deployed open source project developed by the founders of Styra. With primary credibility for the underlying technology, the Styra team and technology are both proven in production across verticals. Styra enables enterprises to define, enforce, validate, and continually monitor security, compliance and operational policies across the cloud-native application stack. Styra has reinvented the authorization solutions to mitigate customer risk, and reinforce commitment to trust and transparency in safeguarding customers’ data. Styra’s Declarative Authorization Service (DAS) is a sophisticated management plane that provides context-based guardrail, built from a graphical policy library to mitigate risk, reduce human error and accelerate development. Styra makes it possible for enterprises to implement policy-as-code controls and to prove their effectiveness to both internal and external security and compliance audiences.

September 30, 2020

This Styra DAS 20200930 release delivers the new features and enhancements, and the list of fixed issues.

New Features and Enhancements

This section describes the new features and enhancements in Styra DAS 20200930.

GUI

  • This release introduces the Copy JSON path action in the Styra DAS UI. This action is useful for configuring decision log mappings, copies the path of any attribute in a decision log to your clipboard, and avoids the need to backtrack the full path.

  • When navigating through multiple system settings, the Styra DAS UI is enhanced to remember which sub-setting is being currently viewed.

Metrics

  • The Prometheus metrics is added to the agentloader in order to understand the count of decisions per tenant, rate of decision processed per tenant, length of decision queue per tenant, and timestamp of the last loaded decision.

Networking

  • This release allows you to enable a policy so that no Ingress resource is created with the default IngressClass.

Policy

  • Envoy policies can now override the response status code by specifying a value for status_code in the system or stacks policies.

  • Starting with this release, the Role-Based Access Control (RBAC) rules are validated to protect OPA webhook. Therefore, the policy rule allows users to permit the clusterRoles which are used to edit the validatingwebhookconfigurations and mutatingwebhookconfigurations.

  • This release introduces the Multi-File Policy Authoring (MFPA) feature for Custom Systems that allows you to further customize your folders and files. Similar to other file systems, you can create, update, and delete Policies and Data Sources. All existing authoring features are available for these customized files.

  • The policy library rule Storage: Restrict Network File System (NFS) Mount Points is updated so that it allows persistent volumes to be created by persistent volume claims.

Systems

  • This release integrates the Kubernetes system installer and policy-tester with Kubernetes end-to-end testing framework. This enhancement allows you to execute or add tests on a Kubernetes cluster using a local development environment.

Issues Fixed

This section describes the issues fixed in Styra DAS 20200930.

Storage

  • Fixed the chronologically ordering of decision log events.

GUI

  • Improved Git integration reliability on the delete operation to ensure that there is no impact on other systems.

  • When navigating between System and Workspace Git repository settings, the missing states in the workspace-settings was replaced with undefined instead of null.

  • Adjusted the size and color of the validating pane’s decisions' icons to be consistent with other icons in the DAS.

  • Fixed an issue with Preview selection where the preview pane’s output will load infinity when an error occurred.

  • Removed redundant API calls on the DAS when viewing a system’s Compliance tab.

  • Added support for empty-bodied assignment after rule else .

  • Fixed an issue in the workspace’s decision log where the Replay button does not appear until the decision’s corresponding system is loaded first.

  • Fixed an issue in the UI where if a system’s Git is configured incorrectly through the API, the UI will not show up.

Security

  • Added an optional field in token creation to specify the TTL.

Services

  • When Elasticsearch is overloaded with requests it can respond with a signal to wait to reduce the load. Decision indexer failed to obey this signal and immediately retried. The fix makes it sleep for some time on such signals in order to reduce the load on Elasticsearch.

Systems

  • Fixed a bug where changing the Git configuration for a system would break any call to read review branches for that system.

  • The Envoy example application had duplicated configurations of ingress_http for stat_prefix on both filters. To avoid this problem, the egress filter prefix was changed to egress_http.

  • Changed the settings for no_data=systems/{id}/kubernetes/resources so that Kubernetes systems should only filter Kubernetes/resources datasource out of the bundle.

September 22, 2020

This Styra DAS 20200922 release delivers the new enhancements described in the Git, Storage, and Systems sections.

New Features and Enhancements

This section describes the new features and enhancements in *Styra DAS 20200922.

Git

  • This release updates the system status page to include visibility into the Git syncing state when using Git-backed storage.

Policy Library

  • Prior to this release, the library rule for prohibiting master workload was not comprehensive. The rule can be circumvented by an application that declares a nodeName value in its specification that will assign it to a master node. This release adds a rule to prohibit the usage of nodeName in submitted specifications. This rule can be used in combination with prohibit master workloads rule to prevent workloads to be assigned to the master node.

Storage

  • Starting from this release, you can use the Elasticsearch index templates to automatically create indices with correct settings.

Systems

  • Now, you can configure the validating webhook to include resources and subresources: [*, pods/*, certificatesigningrequests/*] by default in the Kubernetes systems.