# Open Policy Agent (OPA) — Unified Policy Engine for Cloud Native > CNCF graduated policy engine that decouples authorization and admission rules from your services. Write policies once in Rego, evaluate them anywhere. ## Install Save in your project root: # Open Policy Agent — Policy as Code for Cloud Native ## Quick Use ```bash # install OPA (macOS / Linux) brew install opa # or download from openpolicyagent.org # write a rule: deny images not from trusted registry cat > policy.rego <<'REGO' package kubernetes.admission deny[msg] { input.request.kind.kind == "Pod" img := input.request.object.spec.containers[_].image not startswith(img, "registry.internal.corp/") msg := sprintf("image %v not from trusted registry", [img]) } REGO # evaluate against sample input opa eval -d policy.rego -i review.json 'data.kubernetes.admission.deny' # run as a REST server for admission webhooks opa run --server --set=decision_logs.console=true policy.rego ``` ## Introduction Open Policy Agent is a CNCF graduated project that decouples policy decisions from the services that enforce them. Instead of hard-coding authorization, compliance, or admission rules into every microservice, OPA lets you express them once in a declarative language called Rego and evaluate them from any context — API gateways, Kubernetes admission controllers, CI pipelines, or Terraform plans. ## What OPA Does - Evaluates Rego policies against arbitrary JSON input in under a millisecond - Serves as the policy engine for Kubernetes admission control via Gatekeeper or Kyverno-alt - Validates infrastructure-as-code (Terraform, CloudFormation, Kubernetes YAML) in CI - Makes fine-grained authorization decisions for microservices via a sidecar or library - Unifies policy across data, code, and configuration with a single decision API ## Architecture Overview OPA is a single static binary written in Go. It loads policy modules (Rego files) and data documents (JSON/YAML) into memory, compiles Rego into an efficient intermediate representation, and evaluates queries over that graph. Deployment shapes include a sidecar with the REST API, a Go library embedded in an app, a WebAssembly module, and a centralized server fed by bundles from a control plane like Styra DAS. ## Self-Hosting & Configuration - Run as a binary, a Docker image (`openpolicyagent/opa`), or a Kubernetes sidecar - Pull policy bundles from S3, GCS, or any HTTP endpoint on a configurable refresh interval - Ship decision logs to Kafka, Splunk, or any webhook via the status and logs services - Use the `opa test` command to unit-test Rego with the same binary that enforces it - Scope policies with packages; wire Kubernetes admission via Gatekeeper constraint templates ## Key Features - Rego — a declarative query language purpose-built for policy over hierarchical data - Bundle API for pulling signed policy artifacts from a trusted source - Partial evaluation to pre-compute fast, constant-time authorization checks - WebAssembly compilation so policies can run inside Envoy, browsers, or edge workers - Extensive tooling: `opa test`, `opa fmt`, `opa bench`, VS Code language server ## Comparison with Similar Tools - **Cedar (AWS)** — newer, typed; simpler learning curve but smaller ecosystem - **Casbin** — library-first, supports multiple DSLs, less focused on cloud-native - **Kyverno** — Kubernetes-only, YAML-native — easier for YAML policies but not general-purpose - **HashiCorp Sentinel** — tightly integrated with Terraform Cloud; not open source - **Polar / Oso** — application authorization DSL with good SDKs but smaller community ## FAQ **Q: Is Rego hard to learn?** A: It has a steep start because it is logic-programming-based, but a handful of patterns (deny rules, helper functions, with) cover 90% of real policies. **Q: Can OPA decisions be audited?** A: Yes. Decision logs ship every evaluation with input, result, and a policy hash to your log backend. **Q: What about performance at scale?** A: A compiled policy evaluates in microseconds; partial evaluation can pre-compile decisions for hot paths. **Q: How do I use OPA with Kubernetes?** A: Deploy Gatekeeper, which wraps OPA as a validating admission webhook with CRD-based ConstraintTemplates. ## Sources - https://github.com/open-policy-agent/opa - https://www.openpolicyagent.org/docs/latest/ --- Source: https://tokrepo.com/en/workflows/4153bc1e-3900-11f1-9bc6-00163e2b0d79 Author: AI Open Source