IT Get in touch

OPA (Open Policy Agent): universal policy as code

Open Policy Agent (2016 Styra, CNCF incubating 2018, graduated January 2021, v1.0.0 stable December 2024): general policy engine with Rego language. API authorisation, Kubernetes admission controller, Terraform validation, CI/CD gating.

Open SourceCyber Security
Open SourceCyber Security OPAOpen Policy AgentRegoStyraPolicy as CodeCNCFKubernetesOpen Source
CyberScan

CyberScan

Platform for automated vulnerability assessment, threat intelligence and continuous security posture management.

Discover →

Policy as code

Authorisation and compliance decisions are typically hard-coded: if user.role == "admin" scattered everywhere, SQL ACLs, LDAP group checks, specific logic for each tool (K8s RBAC, Terraform sentinel, CI rules). OPA proposes a single engine: rules are code written in a declarative language (Rego), separated from the application, versionable, testable.

The release

Open Policy Agent is created by Styra (founded by Tim Hinrichs, Torin Sandall) in 2016, open source from the start. Donated to CNCF in March 2018 (sandbox), incubating in 2019, graduated on 29 January 2021. Version v1.0.0 stable arrives on 20 December 2024 — consolidating Rego choices (mandatory if and contains) after years of widely used v0.x production releases. Written in Go, Apache 2.0 licence.

The Rego language

Rego is declarative, Datalog-inspired:

package http.authz

default allow = false

allow {
    input.method == "GET"
    input.path = ["public", _]
}

allow {
    input.user.role == "admin"
}

Call: input is the context, output is allow (true/false) or complex objects.

Typical use cases

  • Kubernetes admission control — validate Pod, NetworkPolicy, RBAC (Gatekeeper is the OPA framework for K8s)
  • API authorization — Envoy ext_authz, Istio AuthorizationPolicy
  • CI/CD gating — validate Terraform plan, Helm chart, Dockerfile
  • Data filtering — row-level security on queries
  • Microservices — centralised authorisation
  • Cloud infra — policies on AWS/Azure/GCP resources

Ecosystem

  • Gatekeeper — OPA Kubernetes admission controller, with ConstraintTemplate CRD
  • Conftest — test policies on Dockerfile, K8s manifest, Terraform
  • OPA Envoy plugin — authorization filter
  • Terraform OPA provider
  • Styra DAS — commercial, UI and governance

Alternatives / competitors

  • Kyverno (2019) — K8s-native policies (YAML, not Rego)
  • Casbin — multi-language RBAC/ABAC library
  • Cedar (AWS, 2023) — similar to Rego, BSD/Apache
  • HashiCorp Sentinel — commercial, Terraform Enterprise
  • AWS IAM — proprietary JSON policies

In the Italian context

OPA is used in:

  • Banks and fintech — microservice authorisation, SOX/PSD2 compliance
  • Telco — API gateway policies
  • Digital PA — governance on multi-tenant K8s clusters
  • MSPs / cloud native consulting — Gatekeeper-based offerings
  • CI/CD gating — Terraform/Helm policies before production apply

Many Italian platform engineering teams adopt OPA + Gatekeeper as central control.

References: Open Policy Agent (Styra 2016). Tim Hinrichs, Torin Sandall. Apache 2.0 licence. Declarative Rego language. CNCF sandbox (March 2018), graduated (29 January 2021). v1.0.0 stable (20 December 2024). Gatekeeper (K8s admission framework).

Need support? Under attack? Service Status
Need support? Under attack? Service Status