Open Policy Agent (OPA) is a general-purpose policy engine that evaluates structured JSON input against policies written in Rego and returns a structured decision. Applications, API gateways, CI pipelines, and Kubernetes admission controllers call OPA with “can this user do X on resource Y?” and OPA answers yes, no, or any arbitrary document a policy chooses to compute.
Rego is a declarative, Datalog-inspired language built for querying nested JSON. Policies are compiled into an intermediate representation and can be evaluated in-process via the Go library, as a sidecar over HTTP/gRPC, as a WebAssembly module compiled from the same Rego source, or inside Envoy as an ext_authz service. The bundle protocol pulls signed policy and data bundles from a central server (OPAL, Styra DAS, or any HTTP endpoint), and decision logs are shipped back out for audit. In Kubernetes, OPA is most often consumed through Gatekeeper, which wraps it in a validating/mutating admission webhook with CRD-based ConstraintTemplates.
OPA graduated from CNCF in 2021 and is Apache-2.0. Adjacent tools include Kyverno (Kubernetes-native, YAML-based, no Rego), Cedar (AWS), and Casbin. OPA’s reach is broader than any of them: the same engine enforces admission policies, Terraform plan checks (via conftest), microservice authorization, and database row filtering, all from one policy language.