OPA (Open Policy Agent)
What is OPA (Open Policy Agent)?
OPA (Open Policy Agent)A CNCF-graduated, general-purpose policy engine that decouples authorization decisions from applications and Kubernetes admission control using the Rego language.
OPA (Open Policy Agent) is an open-source, general-purpose policy engine that lets teams express authorization, admission, and configuration rules as code in the declarative Rego language. Applications and platforms call OPA with a JSON input and receive a decision, removing policy from business logic. It is widely used for Kubernetes admission control (via Gatekeeper), microservice authorization (Envoy/Istio external authz), Terraform plan checks, CI/CD guardrails, and SaaS RBAC. OPA can run as a sidecar, a standalone server, a library, or fully in-cluster, and supports bundled policies and decision logs. Best practices include strong tests for Rego policies, versioned bundles, and continuous policy review.
● Examples
- 01
Gatekeeper using OPA to deny Kubernetes pods running as root.
- 02
Envoy ext_authz delegating per-request authorization to OPA over gRPC.
● Frequently asked questions
What is OPA (Open Policy Agent)?
A CNCF-graduated, general-purpose policy engine that decouples authorization decisions from applications and Kubernetes admission control using the Rego language. It belongs to the Cloud Security category of cybersecurity.
What does OPA (Open Policy Agent) mean?
A CNCF-graduated, general-purpose policy engine that decouples authorization decisions from applications and Kubernetes admission control using the Rego language.
How does OPA (Open Policy Agent) work?
OPA (Open Policy Agent) is an open-source, general-purpose policy engine that lets teams express authorization, admission, and configuration rules as code in the declarative Rego language. Applications and platforms call OPA with a JSON input and receive a decision, removing policy from business logic. It is widely used for Kubernetes admission control (via Gatekeeper), microservice authorization (Envoy/Istio external authz), Terraform plan checks, CI/CD guardrails, and SaaS RBAC. OPA can run as a sidecar, a standalone server, a library, or fully in-cluster, and supports bundled policies and decision logs. Best practices include strong tests for Rego policies, versioned bundles, and continuous policy review.
How do you defend against OPA (Open Policy Agent)?
Defences for OPA (Open Policy Agent) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OPA (Open Policy Agent)?
Common alternative names include: Open Policy Agent, Rego policy engine.
● Related terms
- cloud-security№ 839
Policy as Code
The practice of defining security, compliance, and governance rules in machine-readable code so they can be versioned, tested, reviewed, and automatically enforced.
- cloud-security№ 991
Security as Code
The practice of expressing security controls, tests, and infrastructure in source code so they are versioned, peer-reviewed, automated, and continuously delivered alongside applications.
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- cloud-security№ 1014
Service Mesh Security
The set of identity, encryption, and authorization controls a service mesh provides to secure service-to-service traffic in a cloud-native environment.
- compliance№ 204
Compliance
The discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.
- network-security№ 1262
Zero Trust Network
A network architecture that never trusts users, devices, or services by default and enforces continuous, identity-aware verification of every connection.