Skip to main content

Release Notes for Styra DAS On-Premises 0.8.0

Styra DAS On-Premises version 0.8.0 was released on September 2, 2022

Upgrade Notes

When upgrading from the 0.7.x release, the 0.8.0 release includes three new microservices. These are:

  • agentstatusstore
  • blueprints
  • mock-opa

During the upgrade process, the "Deployments" pane in the UI will not be functional until the agentstatusstore pods are available. This could mean up to 10 minutes of downtime for the OPA reporting functionality during the upgrade. Other functionality of DAS is not impacted, so bundle distribution and other APIs should not have any downtime during the upgrade.


The 0.8.0 release updates the default version of the pre-bundled postgres statefulset from 11.2 to 14.5. If a self-hosted installation is still running with the pre-bundled postgres statefulset as a backing data layer (not recommended for production use cases), and the user is upgrading DAS from a pre-0.8.0 version, the update to postgres can cause the installation to break due to an inability to upgrade postgres. There are currently three ways to mitigate this:

  • (POC/Demo environments): If the setup allows, fully uninstalling DAS and performing a fresh install from 0.8.0 will mitigate the issue. This will cause data loss.
  • (Production environments): It may be possible to upgrade a postgres statefulset in place using the pgupgrade tool. This is not a fully explored workflow and may require working with support.
  • (Manual Override): If upgrading to DAS 0.8.0 is high-priority, it is possible to manually overwrite the image tags in the downloaded postgres manifests to use 11.2 instead of 14.5. DAS 0.8.0 is still fully compatible with postgres 11.2, the default installation was upgraded due to best practice, not due to a software dependency. Note that this override would be necessary for future upgrades as well. We recommend pursuing one of the options above instead.

The issue above will only affect users who are both upgrading to DAS 0.8.0 from an older version, and are still relying on the pre-bundled postgres statefulset as a datastore, as opposed to a third party offering such as RDS.

New Features and Enhancements

This section describes new features and enhancements.

Updated Support for Envoy

New support for Envoy includes Envoy installation with or without SLP, new rules within the Envoy system for ingress and egress, and conflict resolution rules.

Support for Gateway Systems

Styra DAS now supports the following Gateway Systems:

  • Amazon API Gateway
  • Gloo Edge Gateway
  • Kong Enterprise Gateway

Infrastructure Enhancement

Styra DAS adds the ability to forcibly evict a Relay Client by ID, which can expedite troubleshooting.

Entitlements System New Snippet

The Entitlements System adds a new User Can Do What snippet, allowing for information about what resources the user can access with which actions can be injected into the entz set for decisions.

Wildcard Support

SSO claims mappings now support wildcards.

Policy Performance Insight Enhancement

The policy preview pane displays the amount of time to evaluate Policies.

Support for Terraform Cloud and Terraform Enterprise integration

The Terraform system type now supports direct integration with HashiCorp's Terraform Cloud and Terraform Enterprise workspaces via run tasks to evaluate Terraform policy guardrails against Terraform Cloud and Terraform Enterprise workspace plans. Refer to the Terraform system type documentation for full details and setup instructions.

Styra API Updates

The Styra API displays information for User Roles.

New Role for MetadataManager

The new Role for MetadataManager grants the ability to view and update a system's label and feature metadata.

Negation added to Policy Editor Filters

The Kubernetes System adds negation to PolicyEditor filters.

Snippet Enhancements

Snippets include additional metadata to provide additional information.

OPA Update

Styra DAS is updated with OPA 0.41.

Access Control Permissions

The logic for Access Control permissions has been updated to support wildcards.

Enhanced Snippet Support

The ‘groups bound to subject’ and ‘roles bound to subject’ snippets now populate the found groups/roles into the entz field of their result.

Delta Bundle Support

The ability to use Delta Bundles served from Styra DAS for OPAs can be enabled through tenant-level feature flags. Once enabled, the option to generate Delta Bundles is available in SYSTEMS >> Settings >> Bundle Registry. Bundle Types are shown in OPA Instance Cards in SYSTEMS >> Deployments >> OPA Instances if the OPA version is at least 0.40.

Fixed Issues

This section describes fixed issues.

Styra DAS UI

  • The Create System dialog box toggle switches were updated for clarity.
  • The Install page command for "Update Styra Datasource" was not properly displayed for a custom data source.
  • An Admin logging in through SSO was unable to create a Library through the Styra DAS UI.
  • The Styra DAS UI does not display errors unless the System with the error is selected and expanded.


  • If the validate tests Styra CLI command omits .rego from the end in the -p parameter, no useful error message is generated.
  • The validate check-local CLI command did not allow Styra DAS Free users to locally validate Kubernetes manifests against Styra DAS policy rules.


If a non-valid Rego policy was pushed to Git, "Git status" rendered an older, incorrect Git commit hash.


If a user with no workspace-level roles tries to change their password, the password change box was not displayed.


The library snippet enforce_container_mustrunasnonroot now blocks containers from any resource type, including Kubernetes cron jobs.

Entitlements System

The Entitlements system type Installation page / Kubernetes service tab presents a Kubernetes config YAML that contains a ConfigMap for storing sensitive Styra tokens.

Library Snippet

The GET library snippet for /v1/policies?metadata=library-snippet returns an empty value with the SystemPolicyEditor user role.


Authz enforcement for querying specific cursors did not provide the correct result.

Decision Replays

Decision replay does not work for Terraform and Entitlements Systems.

OPA Version

The minimum OPA version cannot be identified if any of the policies have rule names that collide with rego operators or built-ins.

WorkspaceAdmin Role

Global Read Only prevents a WorkspaceAdmin from updating policies.

Terraform Run Tasks

After running a Terraform Run Task, the system to workspace mapping and run task status display the previous Terraform Run Task entry.

Scan for Violations Operation

The Kubernetes System Compliance screen is not updated after a "Scan for violations" operation.

System PUT API

The System PUT API allowed the creation of a System when the functionality should have only allowed updates.

Role Access

Git status was not available for System Owners.

System User Role

The SystemManager role was able to update/modify the authz permissions of a Styra DAS System.