Open Policy Agent (OPA) — Unified Policy Engine for Cloud Native
CNCF graduated policy engine that decouples authorization and admission rules from your services. Write policies once in Rego, evaluate them anywhere.
%20by%20%E2%80%9ELisa%20Wischofsky%E2%80%9D%2C%20licensed%20under%20%E2%80%9ECC0%201.0%E2%80%9D%20(https%3A%2F%2Fcreativecommons.org%2Fpublicdomain%2Fzero%2F1.0%2F)%3C%2Fdc%3Arights%3E%3C%2Frdf%3ADescription%3E%3C%2Frdf%3ARDF%3E%3C%2Fmetadata%3E%3Cmask%20id%3D%22viewboxMask%22%3E%3Crect%20width%3D%22980%22%20height%3D%22980%22%20rx%3D%22490%22%20ry%3D%22490%22%20x%3D%220%22%20y%3D%220%22%20fill%3D%22%23fff%22%20%2F%3E%3C%2Fmask%3E%3Cg%20mask%3D%22url(%23viewboxMask)%22%3E%3Crect%20fill%3D%22url(%23backgroundLinear)%22%20width%3D%22980%22%20height%3D%22980%22%20x%3D%220%22%20y%3D%220%22%20%2F%3E%3Cdefs%3E%3ClinearGradient%20id%3D%22backgroundLinear%22%20gradientTransform%3D%22rotate(290%200.5%200.5)%22%3E%3Cstop%20stop-color%3D%22%23FFCCB6%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%23FED7AA%22%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3Cpath%20d%3D%22M530%20219a446%20446%200%200%201%20133%2039c20%2011%2040%2023%2057%2039%2010%209%2019%2018%2027%2029%209%2012%2015%2026%2017%2041%202%2018%202%2037-4%2055-2%207-5%2014-10%2020l-2-5c0-21-4-41-12-60l-1%2019v23c0%2015%202%2031%205%2046l13%2070%2012%2075c3%2024%205%2046-1%2069-3%2012-7%2023-14%2033-3%206-7%2010-11%2015l-6%202%201-12c2-16%201-31%200-46l-7%2012c-7%2011-15%2020-24%2028-11%209-22%2017-35%2022l-17%204c-19%205-39%204-59%200-36-7-71-17-107-24l-32-4h-39l-42%203c-7%208-16%2011-26%2014-12%202-25%201-36-4-17-6-30-17-41-31l7%2016c2%202%205%206%204%209-1%202-3%202-5%203-7%203-15%201-21-2-16-7-29-19-39-32a214%20214%200%200%201-40-115l-1%2027c0%2016%203%2032%208%2047%204%2011%209%2020%2012%2031l-4-2-7-12c-12-21-17-48-17-72%200-33%2010-65%2021-96l19-61%2011-44c4-15%209-29%2015-43a196%20196%200%200%201%2098-103c11-5%2021-10%2033-13%2014-4%2028-6%2043-6%205-1%209%200%2013%201%205%201%2010-2%2014-2%2032-7%2065-7%2097-3Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M495%20231a231%20231%200%200%201%20219%20204c1%2010%202%2021%200%2030-1%204-1%207-4%208-3-10-3-19-4-29a220%20220%200%200%200-239-205c-42%204-83%2019-117%2044l-17%2013a221%20221%200%200%200-78%20164c0%2023%207%2043%2015%2064h17c3%201%204%204%202%206l-6%202c-15%201-31%207-42%2017-8%209-14%2019-16%2031-3%2015%200%2032%208%2045%209%2015%2024%2027%2040%2033%2014%205%2029%207%2043%205%204-1%208-2%2011%200v3c-5%205-11%206-18%207-16%203-33-1-47-8a86%2086%200%200%201-47-58c-4-18-1-37%209-53%208-12%2020-21%2034-26-7-14-10-28-12-43-2-18-2-35%200-53%201-13%204-25%208-38a227%20227%200%200%201%2099-122c41-28%2092-43%20142-41Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M535%20244a220%20220%200%200%201%20171%20200c1%2010%201%2019%204%2029l-2%2018v22c-3%204-4%209-4%2014-2%208-2%2015-2%2023v65c0%2021-3%2042-11%2061-4%2013-10%2024-18%2035-10%2012-21%2022-34%2031-11%209-24%2017-37%2024l-22%2014-12%208%209-2c-3%2011-3%2024-4%2036%200%208%201%2016%207%2022a235%20235%200%200%200%2081%2045c6%207%2011%2016%2013%2025%201%209%200%2018-4%2027-6%2010-14%2018-23%2024-13%2010-28%2017-43%2022a417%20417%200%200%201-217%2011c-16-3-33-9-48-17-10-5-21-12-28-21-6-6-10-14-11-22-2-10%200-21%205-30%2021-13%2039-32%2049-54%205-11%207-22%208-34%201-16%200-32-1-47-2-20-3-41-8-61%2011%2012%2023%2024%2037%2032%2017%2011%2036%2020%2055%2026%2020%207%2041%2013%2063%2018l25%203c3%200%206%200%208-2%202-1%201-2%202-3l-17-2c-29-7-58-16-87-27-18-7-36-15-53-27-18-13-33-30-47-47l-11-16-1-1v-3c-3-2-7-1-11%200-14%202-29%200-43-5-16-6-31-18-40-33-8-13-11-30-8-45%202-12%208-22%2016-31%2011-10%2027-16%2042-17l6-2c2-2%201-5-2-6h-17c-8-21-15-41-15-64-1-14%202-27%205-41a221%20221%200%200%201%2073-123l17-13a230%20230%200%200%201%20185-39Z%22%20fill%3D%22%23ffffff%22%2F%3E%3Cpath%20d%3D%22M708%20513c3%203%202%207%203%2012v29c0%2026%202%2054%200%2080-3%2031-14%2063-36%2086-25%2028-57%2051-93%2064l2%207v35c1%206%204%2010%208%2014l26%2019%2032%2020%2024%2012c2%200%203%201%205%203l-19-5c-19-6-37-14-54-25-9-5-19-12-26-20-6-6-7-14-7-22%201-12%201-25%204-36l-9%202%2012-8%2022-14c13-7%2026-15%2037-24%2013-9%2024-19%2034-31a178%20178%200%200%200%2029-96v-65c0-8%200-15%202-23%200-5%201-10%204-14ZM278%20574c5%205%204%2014%200%2019l-3%207c1%203%205%205%207%206%206%203%2012%207%2019%209%200%204-3%205-7%205-6-1-13-3-18-6-7-3-13-8-13-16%200-6%205-9%206-14%202-4%200-7-1-11%204-1%207-2%2010%201ZM328%20667l11%2016c14%2017%2029%2034%2047%2047%2017%2012%2035%2020%2053%2027a714%20714%200%200%200%20104%2029c-1%201%200%202-2%203-2%202-5%202-8%202l-25-3a478%20478%200%200%201-118-44c-14-8-26-20-37-32%205%2020%206%2041%208%2061%201%2015%202%2031%201%2047-1%2012-3%2023-8%2034-10%2022-28%2041-49%2054l-14%208c2-4%206-6%209-9%2013-11%2024-25%2034-39%206-10%2012-21%2014-33%204-19%203-39%203-58l-3-59%202-10c-10-11-19-26-22-41Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M686%20474c5%202%2010%207%2012%2012%203%208%203%2017%201%2025-1%204-4%208-9%208s-9-5-8-10c0-8%203-15%201-23l-5-4c-6%200-12%203-17%205%202%203%204%205%204%208%202%207%201%2014%200%2021-1%208-4%2014-9%2020-3%202-7%206-11%207-5%201-10-1-12-5-4-5-4-11-3-16l-6%208c-1%202-2%203-4%203-1-2%200-6%201-8a95%2095%200%200%201%2044-49c6-3%2014-4%2021-2ZM470%20481c18%206%2035%2017%2046%2033%203%204%206%209%207%2014%201%203%201%205-1%206-3%201-6-3-8-5-3%206-2%2013-6%2018-3%204-7%208-11%2010-6%203-13%203-19%201s-10-8-14-13c-5-10-5-20-4-30%201-8%204-15%209-21-14-5-29-8-42-2-10%204-16%2011-19%2021-1%205%200%2011-3%2015-3%203-9%203-12%200s-4-7-3-11c1-12%207-22%2016-30%206-4%2012-7%2019-9%2015-4%2031-3%2045%203Z%22%20fill%3D%22%23000000%22%2F%3E%3Cg%20fill%3D%22%23000000%22%3E%3Cpath%20d%3D%22M675%20381c5%200%208%204%209%208-11%203-23%208-34%2013l-16%208c-7%204-14%207-22%209-5%201-9%200-13%203l-7%208c-3%203-4%207-6%2012-1-1-3-2-3-4-2-5%200-11%202-16%202-6%203-12%208-17%203-4%205-8%209-10%204-3%2010-4%2014%200l1%206%2025-14c11-4%2021-8%2033-6ZM481%20383c14%202%2032%201%2044%207%209%204%2013%2011%2018%2019l-1%204c-4%203-9%204-14%202-4-2-6-6-9-8-2-2-5-2-8-3l-25-2c-12-1-24-6-36-7l-27-5-5-2c9-3%2019-4%2029-5%2011%200%2023-2%2034%200Z%22%2F%3E%3Cpath%20d%3D%22M540%20387c6-2%2012-2%2016%202%206%203%209%209%2011%2015%200-4%202-9%205-12%206%203%2011%209%2013%2015%201%205%202%2010%200%2015s-9%208-13%205c-4-4-4-12-5-18-1%204-2%208-5%2010s-7%201-9-2l-5-12-7-15-1-3Z%22%2F%3E%3C%2Fg%3E%3Cpath%20d%3D%22M607%20606c0%203-2%206-4%209-4%206-11%2010-18%2012-5%201-9-2-13%200-4%200-8%201-12-1-2-1-2-4%200-6%203-4%208-7%2012-7%204-1%207-1%2010%202l1%207c5-2%207-5%2011-8l13-8Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M608%20667c2%200%204%200%205%202l-1%2015c5-1%2010-4%2016-2%200%204-4%207-7%209l-35%2012c-17%204-34%207-51%208-7%201-15-1-22-3-2-1-4-1-4-4%204-2%209%200%2012-1%202-5%207-7%2011-10l31-19c3-1%207-4%2010-4%204-1%207%204%2011%204%208-2%2016-7%2024-7ZM607%20712c1%204%201%208-1%2011-2%205-7%209-12%2011-6%202-12%203-18%202-2%200-6-2-6-5%201-2%205-2%207-3%208-4%2018-7%2025-13%202-1%203-3%205-3Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M492%20216c35%200%2070%207%20103%2017%2023%206%2045%2014%2066%2024%2023%2012%2045%2025%2063%2044%2015%2013%2027%2028%2035%2046%203%208%205%2017%206%2026%201%2013%200%2026-2%2039-2%2010-6%2022-13%2030l-2-6c0-20-5-40-12-59%201%2019-3%2040-15%2055-4%204-8%205-12%207s-9%202-13%202c-7-1-15-4-22-7-2-2-5-3-6-6-4-13-5-27-9-40l-6-17c-2%2010-4%2019-8%2028-3%2011-8%2021-15%2030l-8%207-3-14-4-17c-5-21-14-42-26-61v29c-2%2016-3%2031-10%2045-3%207-4%2014-10%2018-8%204-18%205-27%205-13%200-28%202-41-1-6-2-8-7-11-12l-14-31-11-20c-2%2022-2%2043-1%2064-1%202%200%204-2%205-1%202-3%201-5%200-9-4-16-11-23-18-9-12-19-24-25-37l2%2017c3%2012%207%2024%2012%2035l2%208-5-2c-7-5-12-12-17-19-7-12-11-27-12-41-5%2019-7%2039-8%2059l-2%2010c-1%203-3%204-6%205l-33%205h-11a670%20670%200%200%200%2013%20152l15%2061c1%203%200%205-2%207-15-8-26-23-36-38v63l-3%206a245%20245%200%200%201-64-94l-6-16a397%20397%200%200%201-27-151c1-40%209-80%2026-116a217%20217%200%200%201%2076-91l31-17c11-4%2022-9%2034-10%2010-1%2021-3%2031%200%204%201%208-1%2012-2%2020-4%2041-6%2061-6Z%22%20fill%3D%22%23000000%22%2F%3E%3C%2Fg%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E){kind=small}
Instalación lista para agent
Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.
npx -y tokrepo@latest install 4153bc1e-3900-11f1-9bc6-00163e2b0d79 --target codexEjecutar después de confirmar el plan con dry-run.
What it is
Open Policy Agent (OPA) is a CNCF graduated project that provides a general-purpose policy engine. Instead of hardcoding authorization logic into each service, you write policies in Rego, a declarative language designed for structured data inspection. OPA evaluates those policies against JSON input and returns a decision.
OPA is used by platform engineers, DevOps teams, and security architects who need consistent policy enforcement across Kubernetes admission control, API authorization, Terraform plan validation, and CI/CD pipelines.
How it saves time or tokens
Without OPA, every service implements its own authorization checks, leading to duplicated logic and inconsistent enforcement. OPA centralizes policies so a single Rego file can govern access across dozens of services. When a compliance rule changes, you update one policy instead of patching every service. This reduces both engineering time and the risk of policy drift.
How to use
- Install OPA:
brew install opa
# or download from https://github.com/open-policy-agent/opa/releases- Write a policy in Rego:
package authz
default allow = false
allow {
input.method == "GET"
input.path == "/public"
}
allow {
input.user.role == "admin"
}- Evaluate the policy against input:
opa eval -i input.json -d policy.rego 'data.authz.allow'Example
# Create input.json
cat > input.json << 'ENDJSON'
{
"method": "GET",
"path": "/public",
"user": {"role": "viewer"}
}
ENDJSON
# Evaluate
opa eval -i input.json -d policy.rego 'data.authz.allow'
# Result: true (matches the GET /public rule)Related on TokRepo
- AI tools for security — Security-focused tools and policies
- AI tools for DevOps — Infrastructure automation and operations tools
Common pitfalls
- Writing imperative-style Rego instead of declarative rules. Rego is not a scripting language; each rule body is a set of conditions that must all be true.
- Forgetting that OPA evaluates policies in memory. Loading very large datasets (millions of rows) into OPA data slows evaluation; use external data APIs for large lookups.
- Not testing policies before deploying them. OPA has a built-in test framework (
opa test) that should be part of your CI pipeline.
Preguntas frecuentes
OPA uses Rego, a declarative query language designed for inspecting structured data like JSON. Rego policies define rules as logical conditions. The language supports set operations, comprehensions, and partial evaluation for complex authorization scenarios.
OPA integrates with Kubernetes through the Gatekeeper project, which runs as an admission controller. It intercepts resource creation and modification requests, evaluates them against Rego policies, and rejects requests that violate constraints like label requirements or resource limits.
Yes. OPA evaluates policies in microseconds because it loads policies and data into memory. For API authorization, services send a JSON authorization request to OPA and receive an allow/deny decision. OPA handles thousands of decisions per second on a single instance.
OPA can implement RBAC, ABAC, and custom authorization models. You write the role-checking logic in Rego. However, OPA is a policy engine, not a user directory. You still need an identity provider to authenticate users and supply role claims to OPA.
OPA is the core policy engine that evaluates Rego policies against any JSON input. Gatekeeper is a Kubernetes-specific project built on OPA that provides CRDs for defining constraints and constraint templates, making it easier to manage policies in a Kubernetes-native way.
Referencias (3)
- OPA GitHub— OPA is a CNCF graduated project for general-purpose policy evaluation
- OPA Docs— Rego is a declarative language for structured data inspection
- Gatekeeper GitHub— Gatekeeper provides Kubernetes-native CRDs for OPA policies
Relacionados en TokRepo
Discusión
Activos relacionados
Conftest — Test Structured Config with Open Policy Agent
A CLI tool for writing tests against structured configuration data using the Rego policy language. Conftest validates Kubernetes manifests, Terraform plans, Dockerfiles, and any structured format against custom policies.
Fluentd — Unified Logging Layer for Cloud-Native Infrastructure
Fluentd is a CNCF-graduated open-source data collector that unifies log collection and routing. With 1000+ plugins, it connects any source to any destination — the standard log layer for Kubernetes alongside Fluent Bit.
Cerbos — Scalable Policy-Based Authorization Engine
Cerbos is an open-source authorization engine that decouples access control from application code, letting teams define permissions as versioned, testable YAML or JSON policies.
Kyverno — Policy as Code for Kubernetes
Kyverno is a policy engine for Kubernetes that uses native YAML instead of a new language. Validate, mutate, and generate resources with policies written as Kubernetes resources.