Skip to main content


This page defines the terms that appear throughout Styra documentation.

Admission Control​

Admission Control is the process by which developers apply code in front of API servers in order to determine whether a request should be granted. This can be done in a multitude of ways, commonly through validating permissions.

API gateway

An API gateway is a tool used to increase the security, scalability, and efficiency of APIs and backend microservices by providing them with a single entry point.

Attribute-based access control (ABAC) policy

ABAC is the policy-based access control for Identity Management (IAM). Access rights are granted to users through the use of policies that combine attributes together.

Certificate Authorities (CAs)​

A Certificate Authority (CA), also sometimes referred to as a certification authority, is a company or organization that acts to validate the identities of entities (such as websites, email addresses, companies, or individual persons) and bind them to cryptographic keys through the issuance of electronic documents known as digital certificates.


Cloud-Native describes tools used to create applications to run in a cloud environment. Cloud-Native systems allow organizations to conduct their business more quickly, flexibly, and reliably.

Cloud-Native Computing Foundation (CNCF)​

The Cloud-Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure. CNCF brings together the world’s top developers, end-users, and vendors and runs the largest open-source developer conferences. CNCF is part of the nonprofit Linux Foundation.


A container, in the world of cloud-native technologies, is storage for an application, containing the files needed for it to function properly. Containers allow for applications to run on any device, so long as that device meets the application's specifications.

Continuous Integration and Continuous Delivery (CI/CD)​

Continuous Integration (CI) and Continuous Delivery (CD) embody a culture, set of operating principles, and collection of practices that enable application development teams to deliver code changes more frequently and reliably.

Data source​

A data source is an API for reading and writing JSON objects that can be imported and used to make policy decisions. A data source can be added to systems, stacks, or the library so that data and the policies that utilize it can be shared however is appropriate. The data is versioned and stored compactly with a delta-encoding to handle large and frequently changing JSON.


OPA makes decisions to allow or deny operations or provide suggestions based on the corresponding system’s policies.

Declarative Authorization Service (DAS)​

Styra Declarative Authorization Service (DAS) is built on top of the open-source project Open Policy Agent (OPA) and provides a single pane of glass for authorization and policy across the cloud-native ecosystem of software systems.

Domain Name System (DNS)​

The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.

Egress filtering​

Egress filtering scans egress traffic for abnormalities or malicious activity and discards infected data packets.

Egress traffic​

Egress traffic is data or traffic sent to an external entity that passes through an edge router of the host network before reaching its destination node.


Emissary-ingress is an open-source ingress controller and API Gateway for Kubernetes. Emissary-ingress uses Envoy Proxy and supports a wide range of use cases including load balancing, authentication, and observability.


The DAS Entitlements system type is a cloud-native Entitlements service that easily integrates into existing applications and can be replicated globally, managed, and governed through a single pane of glass.


Envoy is an open source edge and service proxy, designed for cloud-native applications.

Identity and Access Management (IAM)​

Identity and Access Management (IAM) refers to the policies and tools used by IT departments to ensure that people and entities have the appropriate level of access to the organization’s technical resources.

Infrastructure-as-Code (IaC)

Infrastructure-as-Code is a practice in cloud development to manage infrastructure and automate using descriptive code in conjunction with the needs of the DevOps team. IaC helps environments deploy the exact same way every time, allowing for continuous deployment.

Ingress traffic​

Ingress traffic is network traffic whose source is a public network or an external network and is being sent to a node on a private network.

JSON Web Token (JWT)​

A JSON Web Token (JWT) is an internet standard for creating JSON-based access tokens that assert a number of claims. The tokens are signed either using a private secret or a public or private key.


Kubernetes is an open-source, cloud-native tool used to automate deployment and management of containers, help to manage updates and patches, and replace containers producing failed instances.

Kubernetes sidecar​

Sidecar containers run two tightly coupled containers together.


A Styra DAS library is a collection of functions, pre-compiled routines, or reusable components of code.

Lightweight Directory Access Protocol (LDAP)​

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.

Linux Pluggable Authentication Modules (PAM)​

The Linux PAM package contains Pluggable Authentication Modules used to enable the local system administrator to choose how applications authenticate users.


A microservice is a small-scale process of an application, which typically has a single job to help the full application run smoothly.


Minikube is a tool that makes it easy to run Kubernetes locally.

Mutual Transport Layer Security (mTLS)​

mTLS helps ensure that traffic is secure and trusted in both directions between a client and server. This provides an additional layer of security for users who log in to an organization's network or applications.


A namespace is used in platforms such as Kubernetes in order to group services for the purpose of organization and management of access to said resources.

Object model​

An object model is a logical interface, system, or software modeled through the use of object-oriented techniques. An object model enables the creation of an architectural software or system model prior to development or programming.

OPA Gatekeeper​

OPA Gatekeeper enables users to customize Kubernetes admission control via configuration, not code, and to bring awareness of the cluster’s state, not just the single object under evaluation at admission time.

Open Policy Agent (OPA)​

Open Policy Agent, or OPA (pronounced “oh-pa”) for short, is an open-source policy engine developed by Styra and hosted by the Cloud Native Computing Foundation. OPA uses declarative language to enforce policies as code across an entire stack.


A Styra package is a collection of related policies consisting of Rego rules and helper functions. Each package has its unique name and organizes its policies.


Pods are the smallest objects in Kubernetes, representing an instance of a running process. Pods hold containers, which, when run simultaneously, share the processing power allocated to that single pod.


Policy, as it refers to cloud services, sets the guidelines under which companies operate, typically for security reasons. The policy lets companies set who has access to what data, whether internally or externally.

Policy enforcement​

Policy enforcement refers to the creation, categorization, management, monitoring, and automated execution of a set of requirements for use of a network.

Read–eval–print loop (REPL)​

A read–eval–print loop (REPL) is called an interactive top level or language shell. It is a simple, interactive computer programming environment that takes single user inputs, evaluates (executes) them, and returns the result to the user; a program written in a REPL environment is executed piecewise.


OPA policies are expressed in a high-level declarative language called Rego. Rego (pronounced “ray-go”) is purpose-built for expressing policies over complex hierarchical data structures.


A Styra request determines if a subject can perform an operation, and may optionally return a set of entitlements.


A Styra resource is a unique object that can be accessed. Resources are optionally specified as an object in the virtual document data.object.resources. Resources may optionally have attributes, which may be used in ABAC policy snippets.


When a request is made, a response is returned indicating whether the request was successful or has failed.


A Styra role defines permissions for resources.

Role binding​

A Role binding attaches a role to a set of subjects. Role bindings can be expressed by subject IDs or subject attributes or both.

Role-Based Access Control (RBAC)​

A Role-Based Access Control (RBAC) is an approach to authorizing users based on roles assigned to users.


A Styra rule is a specific individual constraint. It consists of specific instructions that you write in the form of a Rego statement for custom rules or specific parameters that you configure for existing Rego statements used in built-in rules. For example, you may define a rule that specifies only images from an explicitly authorized registry can be deployed.

Secure Shell (SSH)​

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.

Service mesh

A service mesh refers to a way software code allows for automation of network connectivity at the platform level. It helps microservices across a network communicate effectively and automatically, greatly reducing the need for manual labor, and increasing potential scale.

Shared Access Signature (SAS)​

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who should not be trusted with your storage account key but to whom you wish to delegate access to certain storage account resources.


A Styra Stack is a collection of policies and a description of which systems those policies apply to. It organizes multiple systems into a logical collection based on common characteristics. Stacks allow you to apply the same policies to several systems without having to define those policies one system at a time.

Styra Local Control Plane (SLP)​

Styra Local Control Plane (SLP) downloads policies from the DAS and relays them to the OPAs. It provides an additional copy of the policies for higher availability. The SLP also monitors Kubernetes resources and provides them as required both to the DAS for analysis and to the local OPAs when policy decisions rely on those resources.


Styra subjects are optional and represent users, groups of users, or service accounts. All subjects must have a unique ID and may optionally have attributes.


A Styra System is Styra’s core unit for policy authoring, validation, and distribution together with decision monitoring, analysis, and reporting. In Styra, a System represents a real-world software system for policy management. The real-world software system may be a physical or virtual computer node, a cluster of nodes that form a logical management boundary, or an application running on multiple nodes in a cloud instance. Styra supports both predefined system types like Envoy and Kubernetes, as well as a Custom system type that allows you to define other targets manually. For example, a real-world Kubernetes cluster may be represented by a Kubernetes Styra system, and a real-world microservice may be represented by an Envoy Styra system.


Terraform is an open-source program used to manage and automate infrastructure and platforms, as well as services that run on said platforms. Terraform uses declarative language, making it an invaluable tool for cloud developers.


A Styra violation occurs if an operation violates a policy that is being enforced on a specific system, in which case, the operation is denied.


A Styra workspace is a container for the collection of systems that you and your team manage. It provides access to individual system resources and a context for resources that span multiple systems. Styra DAS tenants are limited to a single, tenant-level workspace.