100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
DevOps

Open Policy Agent

Created by Styra, incubated as a CNCF graduated project

AdvancedTool10.5K learners

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that lets organizations define and enforce fine-grained authorization and compliance rules — written in its declarative Rego language — consistently across…

Definition

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that lets organizations define and enforce fine-grained authorization and compliance rules — written in its declarative Rego language — consistently across Kubernetes, microservices, CI/CD pipelines, and infrastructure-as-code, decoupling policy logic from application code.

Overview

OPA was created by Styra and donated to the Cloud Native Computing Foundation, where it became a graduated project — one of the most widely adopted policy engines in cloud-native infrastructure. Its core idea is to unify how policy decisions are made across otherwise disconnected systems: rather than each service, pipeline, or platform implementing its own bespoke authorization or validation logic, OPA provides a single, general-purpose policy engine that any system can query with structured input (a Kubernetes admission request, an API call context, a Terraform plan) and receive a policy decision back, evaluated against rules written in Rego, OPA's purpose-built declarative query language. The most common deployment pattern in Kubernetes is as a validating/mutating admission controller — OPA (often via its Gatekeeper project, which wraps OPA specifically for Kubernetes with CRD-based policy management) intercepts requests to create or modify cluster resources and rejects or modifies those that violate defined policies, such as disallowing containers without resource limits, blocking images from unapproved registries, or requiring specific labels. Beyond Kubernetes, OPA is embedded into API gateways and microservices for fine-grained authorization decisions, used to validate Terraform plans before apply (checking for policy violations like overly permissive security groups), and integrated into CI/CD pipelines as a policy gate. Rego, OPA's policy language, is a declarative logic language purpose-built for expressing rules over structured data (typically JSON), which gives it a learning curve distinct from general-purpose programming languages — writing effective Rego policies is often cited as OPA's steepest adoption barrier, addressed partly by tools like the Rego Playground and a growing library of community policy bundles. OPA matters because it decouples 'what is allowed' from the application or platform code enforcing it, letting security and platform teams define, test, version, and update policy centrally without modifying every system that needs to respect it.

Key Features

  • General-purpose policy engine usable across Kubernetes, APIs, CI/CD, and IaC contexts
  • Rego: a purpose-built declarative language for expressing policy rules over structured (JSON) data
  • Gatekeeper project provides Kubernetes-native admission control with CRD-based policy management
  • Decouples policy logic from application/platform code for centralized governance
  • CNCF graduated project with broad ecosystem and community policy library support
  • Supports both blocking (validating) and modifying (mutating) admission decisions in Kubernetes
  • Can validate Terraform plans and other IaC output before changes are applied
  • REST API for querying policy decisions from any system, not just Kubernetes

Use Cases

Enforcing Kubernetes admission policies (resource limits, approved registries, required labels)
Implementing fine-grained authorization decisions for microservices and API gateways
Validating Terraform or other IaC plans against security and compliance policy before apply
Gating CI/CD pipelines to block deployments that violate organizational policy
Centralizing multi-system authorization logic into a single, auditable policy engine
Auditing live infrastructure or cluster state against defined compliance baselines

Alternatives

HashiCorp Sentinel (Terraform-specific policy)Kyverno (Kubernetes-native, no separate policy language)AWS IAM policies / cloud-native policy systems

History

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that decouples authorization and policy decisions from application code, letting teams enforce consistent "policy as code" across a heterogeneous stack (Kubernetes, microservices, CI/CD, APIs, and more). It was created in 2016 by Tim Hinrichs and Torin Sandall (with Teemu Koponen) as an open-source project from the company Styra. OPA uses a purpose-built declarative language called Rego to express rules over structured data. OPA joined the Cloud Native Computing Foundation as a sandbox project in 2018 and graduated in February 2021 — the first CNCF project focused specifically on authorization — and is used in production by many large enterprises.

Frequently Asked Questions

From the Blog