Open Policy Agent (OPA) — Unified Policy Engine for Cloud Native

Introduction

Open Policy Agent is a CNCF graduated project that decouples policy decisions from the services that enforce them. Instead of hard-coding authorization, compliance, or admission rules into every microservice, OPA lets you express them once in a declarative language called Rego and evaluate them from any context — API gateways, Kubernetes admission controllers, CI pipelines, or Terraform plans.

What OPA Does

• Evaluates Rego policies against arbitrary JSON input in under a millisecond
• Serves as the policy engine for Kubernetes admission control via Gatekeeper or Kyverno-alt
• Validates infrastructure-as-code (Terraform, CloudFormation, Kubernetes YAML) in CI
• Makes fine-grained authorization decisions for microservices via a sidecar or library
• Unifies policy across data, code, and configuration with a single decision API

Architecture Overview

OPA is a single static binary written in Go. It loads policy modules (Rego files) and data documents (JSON/YAML) into memory, compiles Rego into an efficient intermediate representation, and evaluates queries over that graph. Deployment shapes include a sidecar with the REST API, a Go library embedded in an app, a WebAssembly module, and a centralized server fed by bundles from a control plane like Styra DAS.

Self-Hosting & Configuration

• Run as a binary, a Docker image (openpolicyagent/opa), or a Kubernetes sidecar
• Pull policy bundles from S3, GCS, or any HTTP endpoint on a configurable refresh interval
• Ship decision logs to Kafka, Splunk, or any webhook via the status and logs services
• Use the opa test command to unit-test Rego with the same binary that enforces it
• Scope policies with packages; wire Kubernetes admission via Gatekeeper constraint templates

Key Features

• Rego — a declarative query language purpose-built for policy over hierarchical data
• Bundle API for pulling signed policy artifacts from a trusted source
• Partial evaluation to pre-compute fast, constant-time authorization checks
• WebAssembly compilation so policies can run inside Envoy, browsers, or edge workers
• Extensive tooling: opa test, opa fmt, opa bench, VS Code language server

Comparison with Similar Tools

• Cedar (AWS) — newer, typed; simpler learning curve but smaller ecosystem
• Casbin — library-first, supports multiple DSLs, less focused on cloud-native
• Kyverno — Kubernetes-only, YAML-native — easier for YAML policies but not general-purpose
• HashiCorp Sentinel — tightly integrated with Terraform Cloud; not open source
• Polar / Oso — application authorization DSL with good SDKs but smaller community

FAQ

Q: Is Rego hard to learn? A: It has a steep start because it is logic-programming-based, but a handful of patterns (deny rules, helper functions, with) cover 90% of real policies.

Q: Can OPA decisions be audited? A: Yes. Decision logs ship every evaluation with input, result, and a policy hash to your log backend.

Q: What about performance at scale? A: A compiled policy evaluates in microseconds; partial evaluation can pre-compile decisions for hot paths.

Q: How do I use OPA with Kubernetes? A: Deploy Gatekeeper, which wraps OPA as a validating admission webhook with CRD-based ConstraintTemplates.

Sources

• https://github.com/open-policy-agent/opa
• https://www.openpolicyagent.org/docs/latest/