This post is a summary of my talk at Open Source Summit Europe 2019 in Lyon, France, co-presented with Opan Mustopah.
Resources:
What is Open Policy Agent?
Open Policy Agent (OPA) is an open-source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. It provides a high-level declarative language called Rego for specifying policy as code.
Why Policy as Code?
As organizations scale their infrastructure and adopt microservices, managing authorization and policy decisions becomes increasingly complex. Policy as code provides:
- Version control: Track policy changes over time
- Testing: Validate policies before deployment
- Automation: Integrate policy enforcement into CI/CD pipelines
- Consistency: Apply the same policy logic across different services
OPA Use Cases
OPA can be used for various policy enforcement scenarios:
Kubernetes Admission Control
OPA can act as a Kubernetes admission controller to enforce policies on resources being created or modified in the cluster. For example:
- Requiring specific labels on all deployments
- Blocking containers running as root
- Enforcing resource limits
API Authorization
OPA can make authorization decisions for API requests, determining whether a user can perform a specific action on a resource.
Infrastructure as Code
Validate Terraform plans or CloudFormation templates against organizational policies before applying changes.
Rego Policy Language
Rego is OPA’s purpose-built policy language. It’s designed to be:
- Declarative: Express what you want, not how to compute it
- Safe: Guaranteed to terminate
- Expressive: Handle complex, nested data structures
Getting Started
To learn more about Open Policy Agent, visit the official documentation.
For the complete presentation, check out the slides from the talk.