Release Notes for Styra DAS On-Premises 0.8.0

Styra DAS On-Premises version 0.8.0 was released on September 2, 2022

Upgrade Notes

When upgrading from the 0.7.x release, the 0.8.0 release includes three new microservices. These are:

agentstatusstore
blueprints
mock-opa

During the upgrade process, the "Deployments" pane in the UI will not be functional until the agentstatusstore pods are available. This could mean up to 10 minutes of downtime for the OPA reporting functionality during the upgrade. Other functionality of DAS is not impacted, so bundle distribution and other APIs should not have any downtime during the upgrade.

info

The 0.8.0 release updates the default version of the pre-bundled postgres statefulset from 11.2 to 14.5. If a self-hosted installation is still running with the pre-bundled postgres statefulset as a backing data layer (not recommended for production use cases), and the user is upgrading DAS from a pre-0.8.0 version, the update to postgres can cause the installation to break due to an inability to upgrade postgres. There are currently three ways to mitigate this:

(POC/Demo environments): If the setup allows, fully uninstalling DAS and performing a fresh install from 0.8.0 will mitigate the issue. This will cause data loss.
(Production environments): It may be possible to upgrade a postgres statefulset in place using the pgupgrade tool. This is not a fully explored workflow and may require working with support.
(Manual Override): If upgrading to DAS 0.8.0 is high-priority, it is possible to manually overwrite the image tags in the downloaded postgres manifests to use 11.2 instead of 14.5. DAS 0.8.0 is still fully compatible with postgres 11.2, the default installation was upgraded due to best practice, not due to a software dependency. Note that this override would be necessary for future upgrades as well. We recommend pursuing one of the options above instead.

The issue above will only affect users who are both upgrading to DAS 0.8.0 from an older version, and are still relying on the pre-bundled postgres statefulset as a datastore, as opposed to a third party offering such as RDS.

New Features and Enhancements

This section describes new features and enhancements.

Updated Support for Envoy

New support for Envoy includes Envoy installation with or without SLP, new rules within the Envoy system for ingress and egress, and conflict resolution rules.

Support for Gateway Systems

Styra DAS now supports the following Gateway Systems:

Amazon API Gateway
Gloo Edge Gateway
Kong Enterprise Gateway

Infrastructure Enhancement

Styra DAS adds the ability to forcibly evict a Relay Client by ID, which can expedite troubleshooting.

Entitlements System New Snippet

The Entitlements System adds a new User Can Do What snippet, allowing for information about what resources the user can access with which actions can be injected into the entz set for decisions.

Wildcard Support

SSO claims mappings now support wildcards.

Policy Performance Insight Enhancement

The policy preview pane displays the amount of time to evaluate Policies.

Support for Terraform Cloud and Terraform Enterprise integration

The Terraform system type now supports direct integration with HashiCorp's Terraform Cloud and Terraform Enterprise workspaces via run tasks to evaluate Terraform policy guardrails against Terraform Cloud and Terraform Enterprise workspace plans. Refer to the Terraform system type documentation for full details and setup instructions.

Styra API Updates

The Styra API displays information for User Roles.

New Role for MetadataManager

The new Role for MetadataManager grants the ability to view and update a system's label and feature metadata.

Negation added to Policy Editor Filters

The Kubernetes System adds negation to PolicyEditor filters.

Snippet Enhancements

Snippets include additional metadata to provide additional information.

OPA Update

Styra DAS is updated with OPA 0.41.

Access Control Permissions

The logic for Access Control permissions has been updated to support wildcards.

Enhanced Snippet Support

The ‘groups bound to subject’ and ‘roles bound to subject’ snippets now populate the found groups/roles into the entz field of their result.

Delta Bundle Support

The ability to use Delta Bundles served from Styra DAS for OPAs can be enabled through tenant-level feature flags. Once enabled, the option to generate Delta Bundles is available in SYSTEMS >> Settings >> Bundle Registry. Bundle Types are shown in OPA Instance Cards in SYSTEMS >> Deployments >> OPA Instances if the OPA version is at least 0.40.

Fixed Issues

This section describes fixed issues.

Styra DAS UI

The Create System dialog box toggle switches were updated for clarity.
The Install page command for "Update Styra Datasource" was not properly displayed for a custom data source.
An Admin logging in through SSO was unable to create a Library through the Styra DAS UI.
The Styra DAS UI does not display errors unless the System with the error is selected and expanded.

Styra DAS CLI

If the validate tests Styra CLI command omits .rego from the end in the -p parameter, no useful error message is generated.
The validate check-local CLI command did not allow Styra DAS Free users to locally validate Kubernetes manifests against Styra DAS policy rules.

Core

If a non-valid Rego policy was pushed to Git, "Git status" rendered an older, incorrect Git commit hash.

Backend

If a user with no workspace-level roles tries to change their password, the password change box was not displayed.

Policy

The library snippet enforce_container_mustrunasnonroot now blocks containers from any resource type, including Kubernetes cron jobs.

Entitlements System

The Entitlements system type Installation page / Kubernetes service tab presents a Kubernetes config YAML that contains a ConfigMap for storing sensitive Styra tokens.

Library Snippet

The GET library snippet for /v1/policies?metadata=library-snippet returns an empty value with the SystemPolicyEditor user role.

Decisions

Authz enforcement for querying specific cursors did not provide the correct result.

Decision Replays

Decision replay does not work for Terraform and Entitlements Systems.

OPA Version

The minimum OPA version cannot be identified if any of the policies have rule names that collide with rego operators or built-ins.

WorkspaceAdmin Role

Global Read Only prevents a WorkspaceAdmin from updating policies.

Terraform Run Tasks

After running a Terraform Run Task, the system to workspace mapping and run task status display the previous Terraform Run Task entry.

Scan for Violations Operation

The Kubernetes System Compliance screen is not updated after a "Scan for violations" operation.

System PUT API

The System PUT API allowed the creation of a System when the functionality should have only allowed updates.

Role Access

Git status was not available for System Owners.

System User Role

The SystemManager role was able to update/modify the authz permissions of a Styra DAS System.

Release Notes for Styra DAS On-Premises 0.8.0

Upgrade Notes​

New Features and Enhancements​

Updated Support for Envoy​

Support for Gateway Systems​

Infrastructure Enhancement​

Entitlements System New Snippet​

Wildcard Support​

Policy Performance Insight Enhancement​

Support for Terraform Cloud and Terraform Enterprise integration​

Styra API Updates​

New Role for MetadataManager​

Negation added to Policy Editor Filters​

Snippet Enhancements​

OPA Update​

Access Control Permissions​

Enhanced Snippet Support​

Delta Bundle Support​

Fixed Issues​

Styra DAS UI​

Styra DAS CLI​

Core​

Backend​

Policy​

Entitlements System​

Library Snippet​

Decisions​

Decision Replays​

OPA Version​

WorkspaceAdmin Role​

Terraform Run Tasks​

Scan for Violations Operation​

System PUT API​

Role Access​

System User Role​