All policies in the Styra DAS are written in Rego, the declarative open-source policy language defined by the Open Policy Agent (OPA), which is owned by the Cloud Native Computing Foundation (CNCF). Rego is a purpose-built, textual language that is flexible enough to express policy across the entire cloud-native stack. Once you have written your policies in Rego, you can use OPA to enforce them to mitigate risks, reduce human error, and accelerate development.
The Styra DAS provides a purpose-built policy-authoring experience for Rego that you can use for all of the different DAS system-type. This is applicable to writing policy for microservice API authorization, Kubernetes admission control, or other use cases. You can use the same language and toolset for writing, testing, and debugging policy. At the same time, the DAS aims to provide an authoring experience for each DAS system-type that is tailored to that system.
The policy authoring process is divided into the following tasks.
- Write Policies
- Test Policies
The DAS provides several different interfaces for writing policy so that you can choose the interface that best matches your needs.
The power user who needs the full power and flexibility of Rego can utilize an IDE that includes syntax-highlighting, interactive evaluation, unit testing, and integration with the decision log.
An administrator who is familiar with a system like Kubernetes can peruse a list of pre-built rules to learn what policies other people have used and quickly implement and customize those rules. An administrator can optionally write custom rules in Rego.
For users who are familiar with outside policy definitions, such as PCI-DSS can utilize policy-packs to understand how to map those outside policy definitions down onto specific DAS system-types. For example, there is a policy pack for PCI-DSS that is mapped down onto Kubernetes.
Not all of those interfaces are available for all DAS Systems and all policy types within those systems. Today, Kubernetes is the most advanced in terms of policy authoring and supports all three interfaces. For more information about policy authoring for individual DAS Systems, see write custom rules page.