Open Policy Agent (OPA)
Type: full-code · Vendor: The OPA Authors / CNCF · Language: Go · License: Apache-2.0 · Status: active · Status in practice: mature · First released: 2016
Open Policy Agent is a general-purpose policy engine that evaluates structured input against machine-readable Rego policies to return authorization decisions, decoupling policy decisions from enforcement.
Description. OPA is a CNCF-graduated policy engine in which software queries OPA with structured data and OPA evaluates that input against Rego policies to produce a decision such as allow or deny. It decouples policy decision-making from policy enforcement, so policy authorship lives outside the calling service. OPA records each authorization decision in decision logs that bundle the input data, the policy decision, and metadata.
Agent loop shape. OPA has no agent loop. It runs as a library or sidecar daemon that answers policy queries: a calling service supplies structured JSON input, OPA evaluates the relevant Rego policies against it, and returns the decision result. Each decision can be emitted to a decision log capturing the input, the result, and metadata for later audit.
Primary use cases
- service and API authorization decisions
- Kubernetes admission control and infrastructure-as-code validation
- decision logging for policy audit
Key concepts
- Rego → policy-as-code-gate (docs) — OPA's high-level declarative policy language, in which authorization rules are written and managed outside the calling service and evaluated against the supplied JSON input.
- Policy decision (docs) — The result OPA returns for a query — any JSON value, commonly an allow or deny boolean — leaving enforcement of that result to the service that asked, which is what decouples decision from enforcement.
- Decision log → decision-log (docs) — A stream of structured events, one per evaluated decision, capturing the policy queried, the input, the result, and metadata, reportable to remote HTTP servers for centralized audit.
Patterns this full-code implements —
- ★Policy-as-Code Gate
OPA evaluates a proposed action against externally-managed machine-readable Rego policies and returns an allow or deny decision, decoupling policy decision-making from enforcement so compliance autho…
- ★★Decision Log
Every policy decision can be emitted as a structured event recording the policy that was queried, the input to the query, and bundle metadata, shippable to remote servers, so the reason for each auth…
- ★Decision Token
OPA decision logs mint a self-contained record at the moment each authorization decision executes, bundling the policy evaluated, the exact input data read, the decision result, and identifying metad…
Neighbourhood
Click any neighbour to follow the lineage. Scroll to zoom, drag to pan.
Alternatives & relatives
- full-code · framework
Cerbos
Cerbos is a comparable decoupled authorization engine for fine-grained access decisions, offering a policy-as-code model without requiring Rego.
- full-code · framework
Invariant Guardrails / MCP-scan
Invariant Guardrails enforces agent-action policy at the MCP boundary; OPA is the general-purpose decision engine that a service can call for the same allow/deny verdict at the application layer.
Listed as alternative by (3)
References
Provenance
- Last analyzed:
- Last updated:
- Verification status: partial