Release Notes for Styra DAS On-Premises 0.8.0
Styra DAS On-Premises version 0.8.0 was released on September 2, 2022
Upgrade Notes
When upgrading from the 0.7.x
release, the 0.8.0
release includes three new microservices. These are:
agentstatusstore
blueprints
mock-opa
During the upgrade process, the "Deployments" pane in the UI will not be functional until the agentstatusstore
pods are available. This could mean up to 10 minutes of downtime for the OPA reporting functionality during the upgrade. Other functionality of DAS is not impacted, so bundle distribution and other APIs should not have any downtime during the upgrade.
The 0.8.0
release updates the default version of the pre-bundled postgres statefulset from 11.2
to 14.5
. If a self-hosted installation is still
running with the pre-bundled postgres statefulset as a backing data layer (not recommended for production use cases), and the user is upgrading DAS from a
pre-0.8.0
version, the update to postgres can cause the installation to break due to an inability to upgrade postgres. There are currently three ways
to mitigate this:
- (POC/Demo environments): If the setup allows, fully uninstalling DAS and performing a fresh install from
0.8.0
will mitigate the issue. This will cause data loss. - (Production environments): It may be possible to upgrade a postgres statefulset in place using the pgupgrade tool. This is not a fully explored workflow and may require working with support.
- (Manual Override): If upgrading to DAS
0.8.0
is high-priority, it is possible to manually overwrite the image tags in the downloaded postgres manifests to use11.2
instead of14.5
. DAS0.8.0
is still fully compatible with postgres11.2
, the default installation was upgraded due to best practice, not due to a software dependency. Note that this override would be necessary for future upgrades as well. We recommend pursuing one of the options above instead.
The issue above will only affect users who are both upgrading to DAS 0.8.0
from an older version, and are still relying on the pre-bundled
postgres statefulset as a datastore, as opposed to a third party offering such as RDS.
New Features and Enhancements
This section describes new features and enhancements.
Updated Support for Envoy
New support for Envoy includes Envoy installation with or without SLP, new rules within the Envoy system for ingress and egress, and conflict resolution rules.
Support for Gateway Systems
Styra DAS now supports the following Gateway Systems:
- Amazon API Gateway
- Gloo Edge Gateway
- Kong Enterprise Gateway
Infrastructure Enhancement
Styra DAS adds the ability to forcibly evict a Relay Client by ID, which can expedite troubleshooting.
Entitlements System New Snippet
The Entitlements System adds a new User Can Do What snippet, allowing for information about what resources the user can access with which actions can be injected into the entz set for decisions.
Wildcard Support
SSO claims mappings now support wildcards.
Policy Performance Insight Enhancement
The policy preview pane displays the amount of time to evaluate Policies.
Support for Terraform Cloud and Terraform Enterprise integration
The Terraform system type now supports direct integration with HashiCorp's Terraform Cloud and Terraform Enterprise workspaces via run tasks to evaluate Terraform policy guardrails against Terraform Cloud and Terraform Enterprise workspace plans. Refer to the Terraform system type documentation for full details and setup instructions.
Styra API Updates
The Styra API displays information for User Roles.
New Role for MetadataManager
The new Role for MetadataManager grants the ability to view and update a system's label and feature metadata.
Negation added to Policy Editor Filters
The Kubernetes System adds negation to PolicyEditor filters.
Snippet Enhancements
Snippets include additional metadata to provide additional information.
OPA Update
Styra DAS is updated with OPA 0.41.
Access Control Permissions
The logic for Access Control permissions has been updated to support wildcards.
Enhanced Snippet Support
The ‘groups bound to subject’ and ‘roles bound to subject’ snippets now populate the found groups/roles into the entz field of their result.
Delta Bundle Support
The ability to use Delta Bundles served from Styra DAS for OPAs can be enabled through tenant-level feature flags. Once enabled, the option to generate Delta Bundles is available in SYSTEMS >> Settings >> Bundle Registry. Bundle Types are shown in OPA Instance Cards in SYSTEMS >> Deployments >> OPA Instances if the OPA version is at least 0.40.
Fixed Issues
This section describes fixed issues.
Styra DAS UI
- The Create System dialog box toggle switches were updated for clarity.
- The Install page command for "Update Styra Datasource" was not properly displayed for a custom data source.
- An Admin logging in through SSO was unable to create a Library through the Styra DAS UI.
- The Styra DAS UI does not display errors unless the System with the error is selected and expanded.
Styra DAS CLI
- If the validate tests Styra CLI command omits .rego from the end in the -p parameter, no useful error message is generated.
- The validate check-local CLI command did not allow Styra DAS Free users to locally validate Kubernetes manifests against Styra DAS policy rules.
Core
If a non-valid Rego policy was pushed to Git, "Git status" rendered an older, incorrect Git commit hash.
Backend
If a user with no workspace-level roles tries to change their password, the password change box was not displayed.
Policy
The library snippet enforce_container_mustrunasnonroot now blocks containers from any resource type, including Kubernetes cron jobs.
Entitlements System
The Entitlements system type Installation page / Kubernetes service tab presents a Kubernetes config YAML that contains a ConfigMap for storing sensitive Styra tokens.
Library Snippet
The GET library snippet for /v1/policies?metadata=library-snippet returns an empty value with the SystemPolicyEditor user role.
Decisions
Authz enforcement for querying specific cursors did not provide the correct result.
Decision Replays
Decision replay does not work for Terraform and Entitlements Systems.
OPA Version
The minimum OPA version cannot be identified if any of the policies have rule names that collide with rego operators or built-ins.
WorkspaceAdmin Role
Global Read Only prevents a WorkspaceAdmin from updating policies.
Terraform Run Tasks
After running a Terraform Run Task, the system to workspace mapping and run task status display the previous Terraform Run Task entry.
Scan for Violations Operation
The Kubernetes System Compliance screen is not updated after a "Scan for violations" operation.
System PUT API
The System PUT API allowed the creation of a System when the functionality should have only allowed updates.
Role Access
Git status was not available for System Owners.
System User Role
The SystemManager role was able to update/modify the authz permissions of a Styra DAS System.