Open Policy Agent (OPA)
Open Policy Agent is a general-purpose policy engine that evaluates structured input against machine-readable Rego policies to return authorization decisions, decoupling policy decisions from enforcement.
Description
OPA is a CNCF-graduated policy engine in which software queries OPA with structured data and OPA evaluates that input against Rego policies to produce a decision such as allow or deny. It decouples policy decision-making from policy enforcement, so policy authorship lives outside the calling service. OPA records each authorization decision in decision logs that bundle the input data, the policy decision, and metadata.
Solution
OPA has no agent loop. It runs as a library or sidecar daemon that answers policy queries: a calling service supplies structured JSON input, OPA evaluates the relevant Rego policies against it, and returns the decision result. Each decision can be emitted to a decision log capturing the input, the result, and metadata for later audit.
Primary use cases
- service and API authorization decisions
- Kubernetes admission control and infrastructure-as-code validation
- decision logging for policy audit
Open the full interactive page →
Diagram, neighbourhood map, code examples, related patterns and full provenance.