explaingit

open-policy-agent/opa

11,715GoAudience · ops devopsComplexity · 3/5Setup · moderate

TLDR

An open-source policy engine that lets you write access and compliance rules in one place using a language called Rego, so any service in your system can ask it for authorization decisions instead of each app hardcoding its own rules.

Mindmap

mindmap
  root((OPA))
    What it does
      Centralized policy engine
      Authorization decisions
      Compliance enforcement
    Policy language
      Rego rules
      Browser playground
      VS Code extension
    Integrations
      Kubernetes admission
      Terraform plan checks
      Docker and SSH
    Production use
      Netflix and Atlassian
      CNCF graduated project
      Ask and answer pattern
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Centralize who-can-do-what access rules across multiple services so changing a policy updates every app at once

USE CASE 2

Enforce rules about which cloud resources are allowed to be created before Terraform applies any changes

USE CASE 3

Gate API endpoint access in a Kubernetes cluster by asking OPA which requests are permitted

USE CASE 4

Write and test authorization rules in the browser-based OPA playground without installing anything

Tech stack

GoRego

Getting it running

Difficulty · moderate Time to first run · 30min

No installation needed to try Rego in the browser playground, connecting OPA to Kubernetes or Terraform requires additional integration configuration.

In plain English

Open Policy Agent, usually called OPA, is an open source tool that lets software teams define and enforce rules about what is and is not allowed in their systems. Instead of baking those rules into the application code itself, you write them separately in a language called Rego, and any service can ask OPA for a decision whenever it needs one. The way it works is straightforward: your application sends a question to OPA, such as whether a particular user can access a particular resource, and OPA checks the rules you have written and sends back an answer. This keeps access and compliance logic in one place rather than scattered across many different services. When rules change, you update them in OPA rather than patching multiple applications. OPA can be used for many kinds of policy decisions: who can call which API endpoints, which cloud resources are allowed to be created, what labels a container must have, and so on. The project provides ready-made guides for connecting OPA to systems like Kubernetes, Terraform, Docker, and SSH. Teams at Netflix, Atlassian, and many other organizations use it in production to manage authorization across their infrastructure. Getting started is accessible: there is a browser-based playground at play.openpolicyagent.org where you can write and test Rego rules without installing anything, and a VS Code extension is available for local development with live feedback. The project is a graduated member of the Cloud Native Computing Foundation, which means it has met that body's standards for stability and production readiness.

Copy-paste prompts

Prompt 1
Write a Rego policy for OPA that allows read access to an API endpoint only if the user's role is admin or editor, and deny everything else
Prompt 2
How do I integrate OPA with Kubernetes as an admission controller so it can reject pod deployments that break my naming rules?
Prompt 3
Write a Terraform OPA policy that prevents any S3 bucket from being created without a specific required tag
Prompt 4
Set up OPA with the VS Code extension so I get live feedback as I write Rego rules, what do I install and how do I configure it?
Prompt 5
Show me how to test an OPA Rego policy using the built-in test framework, including a passing case and a failing case
Open on GitHub → Explain another repo

← open-policy-agent on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.