Open Policy Agent (OPA) Logo
Adopt Security CNCF Graduated Provisioning / Security & Compliance

Open Policy Agent (OPA)

Official Website Documentation Source Code

License: Apache-2.0

CNCF Project

Cloud Native Computing Foundation

Accepted: 2018-03-29
Incubating: 2019-04-02
Graduated: 2021-01-29
Dev Stats

Community

Join the conversation

Twitter/X Slack Blog

No content found for Open Policy Agent (OPA) yet. Check back soon!

Complete Guide

Comprehensive documentation, best practices, and getting started tutorials

Open Policy Agent (OPA) is a general-purpose policy engine that unifies policy enforcement across the cloud native stack. OPA decouples policy decision-making from policy enforcement. This means you can centralize your policy decisions in one place and reuse them across different services and infrastructure components.

OPA provides value by enabling consistent policy enforcement for microservices, Kubernetes, CI/CD pipelines, API gateways, and more. It simplifies policy management and reduces the risk of misconfiguration or inconsistent policies across diverse systems. Common use cases include authorization policies, data filtering, validating configuration, and compliance checks.

Open Policy Agent (OPA) is a CNCF graduated project that provides a general-purpose policy engine for unified, context-aware policy enforcement across the entire cloud-native stack. It decouples policy decision-making from application logic, allowing policies to be defined, managed, and enforced consistently across microservices, Kubernetes, CI/CD pipelines, API gateways, and more.

Key Features

  • Declarative Policy Language (Rego): Policies are authored in Rego, a high-level, declarative language that allows for expressive and flexible policy definitions.
  • Policy Decision as Data: OPA evaluates input data against policies and outputs structured data (JSON) as a policy decision. This makes policies easy to consume by services and applications.
  • Context-Aware Enforcement: Policies can leverage context from various sources (e.g., Kubernetes admission requests, API gateway traffic, user attributes) to make intelligent decisions.
  • Decoupled Enforcement: OPA acts as a sidecar or daemon, allowing services to query it for policy decisions without embedding policy logic directly into their code.
  • High Performance: Designed for high performance with low-latency policy evaluations.
  • Extensive Integrations: Integrates with a wide range of cloud-native technologies, including Kubernetes (via Gatekeeper), Envoy, Istio, Terraform, Docker, and more.
  • Unified Policy Management: Centralizes policy management, reducing redundancy and ensuring consistency across diverse systems.

Benefits

  • Consistent Policy Enforcement: Ensures that policies are applied uniformly across the entire organization’s infrastructure and applications.
  • Enhanced Security: Strengthens security by enforcing fine-grained access control, resource admission policies, and data filtering rules.
  • Simplified Governance & Compliance: Helps organizations meet compliance requirements by providing a auditable and manageable policy layer.
  • Increased Agility: Decouples policy from code, allowing policies to evolve independently of application development.
  • Reduced Risk: Minimizes the risk of misconfigurations and security vulnerabilities by enforcing policies automatically.
  • Auditability: All policy decisions can be logged, providing a clear audit trail for compliance and security analysis.
  • Flexibility: Supports a wide variety of policy use cases, from authorization to infrastructure validation.