OPA (Open Policy Agent)
Definition
OPA (Open Policy Agent) is an open-source, general-purpose policy engine that unified policy enforcement across the stack. It uses a high-level declarative language called Rego to define policies, evaluates them against data, and returns a decision (allow/deny).
OPA is hosted by the CNCF and is commonly used for Kubernetes authorization, API security, and infrastructure governance.
Key Concepts
- Rego: Declarative policy language (logic programming, like Datalog)
- Decision: OPA returns
true (allow) or false (deny) for a query
- Policy: Rego file defining rules
- Data: JSON data that policies evaluate against
- Input: Dynamic input provided at evaluation time
- Policy as Code: Policies stored in Git, version-controlled
How OPA Works
Request (e.g., kubectl create pod)
↓
OPA (admission webhook)
↓ evaluates Rego policy against input + data
Decision: allow / deny
↓
Kubernetes accepts/rejects the request
OPA Use Cases
| Use Case |
Description |
| Kubernetes admission control |
Validate/modify K8s resources before creation |
| API authorization |
Control access to API endpoints |
| Infrastructure governance |
Enforce cloud resource policies |
| CI/CD policy |
Block deployments that violate policies |
| Database access control |
Control SQL/NoSQL access |
| Microservice authorization |
Fine-grained service-to-service access |
OPA Rego Example
# policy/k8s/restrict_image.rego
package kubernetes.admission
deny[msg] {
input.request.object.spec.containers[_].image
not startswith(input.request.object.spec.containers[_].image, "gcr.io/production/")
msg := "Images must come from gcr.io/production/"
}
OPA vs Traditional Firewalls
| Aspect |
OPA |
Traditional Firewall |
| Scope |
Application-level policies |
Network-level (IP/port) |
| Language |
Rego (declarative) |
ACL rules |
| Flexibility |
High (logic, data-driven) |
Limited |
| Integration |
APIs, K8s, CI/CD, databases |
Network devices |
| Enforcement |
Code-level |
Network-level |
OPA Ecosystem
| Project |
Purpose |
| OPA Gatekeeper |
Kubernetes admission controller for OPA policies |
| Sentinel |
OPA with additional features (HashiCorp) |
| Conftest |
Test configuration files against OPA policies |
| Styra DAS |
OPA management and visualization platform |
- Kubernetes — OPA can enforce API policies
- Rego — OPA’s policy language
References
