Getting Started ENTERPRISE
Styra's Declarative Authorization Service (DAS) works with Kubernetes APIs to provide desired-state security. Styra allows you to define policy before runtime, allowing teams to define, enforce, and validate security with no black-boxes, additional servers, or complex configuration. Using Styra DAS, on-premises customers can install and configure Styra DAS On-premises on different environments.
The following requirements must be met in order to install Styra DAS On-premises on a variety of Kubernetes environments:
To estimate the storage requirements, the system is tested with five Kubernetes clusters running the Styra OPA agents and it generates approximately 800 decisions every second.
To run the minimum number of Styra OPA agents, 128GB of storage was utilized to store 14 days of decisions.
Styra recommends you to use the storage allocated to Postgres between the range of 250GB and 500GB.
DAS uses Elasticsearch to maintain a search index of policy decisions uploaded by OPA. The sizing of the Elasticsearch installation is therefore a problem of determining the volume of decisions OPA instances upload, in average.
The approximate formula to estimate the total available disk space required to maintain the index:
# of days indexed * # of decisions per day * average size of single decision * overhead factor
By default, DAS maintains the index for 3 days, but since the cleaning takes place once a day, transiently DAS may store decisions for one extra day. # of decisions per day is largely dependent on the OPAs connected to DAS, as is the average size of a single decision JSON document. Overhead factor is due to the replication and indexing overhead of Elasticsearch itself. Styra recommends an overhead multiplier of 5 for extra safety.
For example, assume the following:
The default of 3 days of log retention is used. That means transiently DAS will maintain 4 days worth of decisions.
OPAs connected produce 100 decisions (in total) per second, for example, 8.64 million per day.
Each decision JSON document uploaded by OPA takes 2048 bytes in average.
Overhead factor of 5.
Therefore, in this example, the total space required to maintain the indices is approximately:
4 * 8640000 * 2048 * 5 = 330GB.
Styra DAS On-premises can be installed in any namespace, and the installation instructions do not make any assumption about namespace.
Computing and Networking
The following shows the computing and networking requirements:
Kubernetes 1.11 or later.
32 GB memory.
Access to a Container Registry.
(Optional) Access to an SMTP server.
A Load Balancer or Ingress to expose the Styra DAS endpoint.
Recommended: A TLS certificate for the Load Balancer or Ingress to configure HTTPS.