Open Policy Agent
Created by Styra, incubated as a CNCF graduated project
Open Policy Agent (OPA) is an open-source, general-purpose policy engine that lets organizations define and enforce fine-grained authorization and compliance rules — written in its declarative Rego language — consistently across…
Definition
Open Policy Agent (OPA) is an open-source, general-purpose policy engine that lets organizations define and enforce fine-grained authorization and compliance rules — written in its declarative Rego language — consistently across Kubernetes, microservices, CI/CD pipelines, and infrastructure-as-code, decoupling policy logic from application code.
Overview
OPA was created by Styra and donated to the Cloud Native Computing Foundation, where it became a graduated project — one of the most widely adopted policy engines in cloud-native infrastructure. Its core idea is to unify how policy decisions are made across otherwise disconnected systems: rather than each service, pipeline, or platform implementing its own bespoke authorization or validation logic, OPA provides a single, general-purpose policy engine that any system can query with structured input (a Kubernetes admission request, an API call context, a Terraform plan) and receive a policy decision back, evaluated against rules written in Rego, OPA's purpose-built declarative query language. The most common deployment pattern in Kubernetes is as a validating/mutating admission controller — OPA (often via its Gatekeeper project, which wraps OPA specifically for Kubernetes with CRD-based policy management) intercepts requests to create or modify cluster resources and rejects or modifies those that violate defined policies, such as disallowing containers without resource limits, blocking images from unapproved registries, or requiring specific labels. Beyond Kubernetes, OPA is embedded into API gateways and microservices for fine-grained authorization decisions, used to validate Terraform plans before apply (checking for policy violations like overly permissive security groups), and integrated into CI/CD pipelines as a policy gate. Rego, OPA's policy language, is a declarative logic language purpose-built for expressing rules over structured data (typically JSON), which gives it a learning curve distinct from general-purpose programming languages — writing effective Rego policies is often cited as OPA's steepest adoption barrier, addressed partly by tools like the Rego Playground and a growing library of community policy bundles. OPA matters because it decouples 'what is allowed' from the application or platform code enforcing it, letting security and platform teams define, test, version, and update policy centrally without modifying every system that needs to respect it.
Key Features
- General-purpose policy engine usable across Kubernetes, APIs, CI/CD, and IaC contexts
- Rego: a purpose-built declarative language for expressing policy rules over structured (JSON) data
- Gatekeeper project provides Kubernetes-native admission control with CRD-based policy management
- Decouples policy logic from application/platform code for centralized governance
- CNCF graduated project with broad ecosystem and community policy library support
- Supports both blocking (validating) and modifying (mutating) admission decisions in Kubernetes
- Can validate Terraform plans and other IaC output before changes are applied
- REST API for querying policy decisions from any system, not just Kubernetes
Use Cases
Alternatives
History
Open Policy Agent (OPA) is an open-source, general-purpose policy engine that decouples authorization and policy decisions from application code, letting teams enforce consistent "policy as code" across a heterogeneous stack (Kubernetes, microservices, CI/CD, APIs, and more). It was created in 2016 by Tim Hinrichs and Torin Sandall (with Teemu Koponen) as an open-source project from the company Styra. OPA uses a purpose-built declarative language called Rego to express rules over structured data. OPA joined the Cloud Native Computing Foundation as a sandbox project in 2018 and graduated in February 2021 — the first CNCF project focused specifically on authorization — and is used in production by many large enterprises.
Sources
- Open Policy Agent — official website · as of 2026-07-17
- OPA on GitHub — open-policy-agent/opa · as of 2026-07-17
Frequently Asked Questions
From the Blog
AI Agents Explained: The Next Big Thing
An AI agent acts to achieve a goal, not just answers a question — learn how agentic AI works and why it matters.
Read More AI & TechnologyAI Agents Explained: How They Actually Work
AI agents are transforming what software can do autonomously — from booking travel to writing and running code. This guide explains the agent loop, tool use, memory systems, and how frameworks like LangChain, CrewAI, and OpenAI Assistants implement them.
Read More AI & TechnologyRAG Explained: Retrieval-Augmented Generation
RAG is how you give an LLM access to your own private data without training a new model. This guide explains the full pipeline — chunking, embeddings, vector search, and augmented generation — with a working Python example using open-source tools.
Read More AI & TechnologyThe 2026 AI Engineer Roadmap: Skills, Tools, and Career Path
AI Engineer is one of the fastest-growing roles in tech — and it's more accessible than traditional ML engineering. This guide maps the exact skills, tools, and learning sequence for becoming an AI engineer in 2026, from Python basics to deploying production RAG and agent systems.
Read More