Skip to main content

Write Policies

All policies in the Styra DAS are written in Rego, the declarative open-source policy language defined by the Open Policy Agent (OPA), which is owned by the Cloud Native Computing Foundation (CNCF). Rego is a purpose-built, textual language that is flexible enough to express policy across the entire cloud-native stack. Once you have written your policies in Rego, you can use OPA to enforce them to mitigate risks, reduce human error, and accelerate development.

The Styra DAS provides a purpose-built policy-authoring experience for Rego that you can use for all of the different DAS system-type. This is applicable to writing policy for microservice API authorization, Kubernetes admission control, or other use cases. You can use the same language and toolset for writing, testing, and debugging policy. At the same time, the DAS aims to provide an authoring experience for each DAS system-type that is tailored to that system.

The policy authoring process is divided into the following tasks.

The DAS provides several different interfaces for writing policy so that you can choose the interface that best matches your needs.

IDE

The power user who needs the full power and flexibility of Rego can utilize an IDE that includes syntax-highlighting, interactive evaluation, unit testing, and integration with the decision log.

Pre-built Rules

An administrator who is familiar with a system like Kubernetes can peruse a list of pre-built rules to learn what policies other people have used and quickly implement and customize those rules. An administrator can optionally write custom rules in Rego.

Policy Packs

For users who are familiar with outside policy definitions, such as PCI-DSS can utilize policy-packs to understand how to map those outside policy definitions down onto specific DAS system-types. For example, there is a policy pack for PCI-DSS that is mapped down onto Kubernetes.

Not all of those interfaces are available for all DAS Systems and all policy types within those systems. Today, Kubernetes is the most advanced in terms of policy authoring and supports all three interfaces. For more information about policy authoring for individual DAS Systems, see write custom rules page.