Open Policy Agent (OPA)
Profile
Open Policy Agent (OPA) is a general-purpose policy engine that decouples policy decision-making from policy enforcement across cloud-native infrastructure. As a Cloud Native Computing Foundation graduated project, OPA has achieved widespread enterprise adoption at organizations including Goldman Sachs, Netflix, and Pinterest. The tool enables policy-as-code through Rego, a declarative language purpose-built for expressing policies over hierarchical data structures. OPA unifies policy enforcement across microservices, Kubernetes clusters, CI/CD pipelines, and API gateways, eliminating scattered authorization logic embedded in application code. By centralizing policy definitions while supporting distributed enforcement, OPA provides organizations with consistent, auditable policy management across heterogeneous technology stacks.
Focus
OPA addresses the fundamental challenge of fragmented authorization logic in distributed systems, where policy decisions become scattered across codebases in different languages and platforms. The tool enables security teams to modify policies without requiring application redeployment, creates a single source of truth for organizational policies, and accelerates policy evolution by separating decisions from enforcement. Platform engineers use OPA to standardize policy enforcement across infrastructure, while security teams codify compliance requirements for consistent application. The architecture supports sophisticated policy designs impractical to embed in applications, including context-aware authorization based on real-time system state and complex conditional logic spanning multiple factors, delivering unprecedented consistency in policy enforcement.
Background
OPA was created by Styra and donated to the Cloud Native Computing Foundation in 2018, achieving graduated status in 2021 after completing security audits and demonstrating mature governance processes. The project is maintained by contributors from multiple organizations including Microsoft, Google, and Styra, with over ninety individuals from approximately thirty organizations contributing to development. Apple acquired Styra's founding team in 2025, though OPA's CNCF governance structure remains unchanged. The tool operates under Apache License 2.0 for the open source core, with an OPA Enterprise License introduced for certain production deployments. Active maintenance continues with regular releases incorporating security updates and technical improvements.
Main features
Declarative policy language with comprehensive evaluation capabilities
Rego, OPA's declarative policy language inspired by Datalog, enables policy authors to specify what policies should enforce rather than how to enforce them. The language includes over 150 built-in functions supporting sophisticated data processing, filtering, and decision-making across JSON, YAML, and hierarchical data formats. Rules form the fundamental building blocks, operating with logical AND semantics where all conditions must be satisfied for rule execution. Policies can generate arbitrary structured data as output beyond simple allow/deny decisions, enabling complex authorization logic like Terraform blast radius scoring or Kubernetes admission control with multiple simultaneous constraint evaluations.
Flexible deployment models with bundle distribution
OPA supports both sidecar deployment for low-latency local evaluation and centralized service deployment for resource efficiency across multiple applications. Bundle management enables compressed archives containing policy code and data to be distributed to OPA instances, supporting versioning, CI/CD pipeline testing, and on-the-fly policy updates without instance restarts. Organizations can implement sophisticated strategies with multiple bundles for different policy domains, each with independent update frequencies. The architecture allows hybrid approaches where critical operations use local sidecars while less time-sensitive operations query centralized services, balancing latency requirements against operational complexity.
Comprehensive REST API with decision logging
OPA exposes REST APIs enabling services to query policy decisions through POST requests to endpoints, with the Data API forming the core evaluation interface accepting structured JSON input. The Policy API manages policy modules through CRUD operations, while the Compile API provides partial evaluation and data filtering for query optimization. Decision logging creates comprehensive audit trails recording every policy query, input data, and resulting decision, with configurable masking to redact sensitive information while maintaining compliance records. The Status and Health APIs enable monitoring of bundle activation and operational health, while Prometheus integration supports performance metrics collection for production deployments.


