Deploy Policy Changes

Policy changes affect STS decisions and Gateway access. Treat them as production changes with simulation, activation, audit review, and rollback readiness.

Deployment Sequence

sequenceDiagram
  participant Author
  participant Console as Console/Admin API
  participant API
  participant Redis
  participant STS
  participant Audit
  Author->>Console: create policy version
  Console->>API: validate and store version
  Author->>Console: simulate policy set
  Console->>API: activate policy set version
  API->>Redis: publish policy invalidate
  STS->>Redis: consume invalidate
  STS->>Audit: emit decisions using current bundle

Pre-Deployment

Confirm the policy uses current resource IDs, scopes, and canonical terminology.
Validate syntax and invariants through Console or Admin API.
Simulate expected allow and deny cases.
Confirm STS readiness and policy age metrics are healthy.
Prepare rollback policy-set version.

Activation

Use Console policy and policy set views or Admin SDK/API automation. Do not use top-level caracal runtime commands for policy management.

Verification

Check	Expected
API activation response	New policy-set version is active.
Redis `caracal.policy.invalidate`	STS consumers receive invalidation.
STS policy age	Returns under alert threshold.
Audit decisions	Expected allow/deny records appear for canary requests.
Gateway behavior	Protected upstream access follows the new decision.

Rollback

Activate the last known-good policy-set version. Then verify STS policy freshness, canary decisions, audit records, and Gateway behavior.

Troubleshooting

Symptom	Check
Activation succeeds but decisions do not change	Policy invalidation stream, STS policy age, and STS logs.
Simulation differs from live decisions	Input shape, active grants, resource IDs, subject/session claims, and step-up state.
Policy fails closed unexpectedly	Rego compile errors, missing scope/resource, or invalid grant.

Next Step

Use Upgrade Caracal for image, chart, migration, and runtime configuration upgrades.