Skip to main content

Operations on Stacks

This page explains the following operations on Stacks.

Create a Stack

Stacks appear in the styra-das-id.styra.com web application between the Workspace and Systems sections of the navigation panel.

To create a Stack:

  1. Click the ( ⨁ ) plus icon next to the STACKS heading.
  2. In the Add Stack > Kubernetes default pop-up window, select the Stack Type from the drop down list.
  3. Enter a Stack name (required), which is a human-friendly label for your stack.
  4. It is optional to type a description in the Description field.
  5. In this Permissions field, leave the toggle switch in disabled state for Read-only. Prevents users from modifying policies using Styra UIs (recommended if you author policies using another tool and then deploy them using Styra APIs).
  6. Click Add stack.

Add Systems to a Stack

Your stack identifies the systems it will manage through the use of selectors defined by the stack, along with labels defined by individual systems. You must configure the selectors and labels, in order to add systems to your stack.

info

By default, every system defines a system-type label (example: "system-type": "kubernetes"). You can use the system-type label to connect a stack to all systems with the same type.

Define Selectors for a Stack

Selectors allow a stack to discover the systems it should manage. A selector is a label that a stack expects related systems to define. Any system that includes a matching label will be added to the stack.

To define a selector:

  1. Expand your stack by clicking the ( > ) chevron icon next to your stack’s name in the inventory navigation panel.
  2. Open the Selectors module.
  3. Fill out the include Key and Values fields with a label key-value pair, such as “environment” and “development”.
  4. Click the ( ⇤ ) publish icon to activate your changes.

Define Labels for a Stack

If the stack’s selectors are defined, then you can connect a system to the stack by defining a matching label for the system. Labels codify a system’s functions (example: production), contracts (example: PCI compliance), life cycle (example: release), and other characteristics so that related subsets of systems can be selected and managed together.

To define a label:

  1. Pick a system from the Systems section of the navigation panel and expand it by clicking the ( > ) chevron icon next to the system name.
  2. Click the Labels module.
  3. Click a ( ⨁ ) plus icon to create a new label.
  4. Enter a Key and Value pair that matches the selector you defined previously.
  5. Click the ( ⇤ ) publish icon to activate your changes.

Verify the Connection

To verify if the systems are connected to your stack:

  1. Return to the stack’s Selectors module.
  2. Click Preview button.

The system you labeled previously should be included in the output as part of the "systems" object, which is comprised of key-value pairs corresponding to matching system IDs and their human-readable names.

For example:

{
"systems": {
"e3dc07b94ed4edb3bb12df98f5f4d86d": "dev-us-east-1c"
}
}
info

A system’s Labels module must be published in order for the stack to discover it.

Add a Stack Rule

Each stack includes policy modules complementary to the systems it manages (example: Mutating or Validating >> Rules). When you add a rule to a stack module, it affects each of the connected systems, as if they defined the rule themselves.

To define a rule for your stack:

  1. Click on stack’s Mutating or Validating >> Rules module.
  2. Click Add rule button.
  3. Select the rule from the drop down list.
  4. Ensure that Monitor is selected for the rule.
  5. Deselect the added source code and click Preview button.

By using your new stack rule, a sample will be taken for re-evaluation from your system’s past decisions.

The following shows an example of the Preview output.

{
"monitor": [
{
"allowed": false,
"message": "Resource Pod/ns-1/app-1 has an invalid naming convention: app-1"
}
]
}
note

At this point, your system must have handled the admission control requests in order for a sample decision to be discovered.

Validate a Stack Policy

In addition to previewing your stack’s contributions to a single decision, you can also review its broader potential impact before you put any of its rules into effect. The same way as you would with system policies, you can click Validate while viewing a stack policy to run tests, perform an audit of monitored rules, and replay decisions to see how outcomes across your systems might be affected by your stack’s rules.

In order to focus on the stack’s own decisions, validating a stack policy involves considering the resources for each of the systems it oversees, but not any rules those systems implement. Consequently, the Compliance pane only lists violations of the stack’s rules and the Decisions pane only displays outcomes that changed because of a stack rule. For more details about validating a Stack policy, see the Policy Lifecycle page. When you are ready, click the ( ⇤ ) publish icon to apply your changes.