Open Policy Agent (OPA)

**Open Policy Agent (OPA)** is a general-purpose, open source policy engine that decouples policy decision-making from application code. In a hyperscaler context, it primarily appears as the [[Kubernetes]] admission controller (via Gatekeeper) that enforces organisational policies before workloads are allowed to run. --- ### First Principle: Policy logic doesn't belong in application code. Centralise it, version it, test it. Without a policy engine, security rules get implemented in ad-hoc ways — `if` statements in admission webhooks, bash scripts in CI pipelines, manual review checklists. OPA provides a single, expressive policy language (Rego) and a uniform evaluation engine that works across Kubernetes admission, API authorisation, data access, and microservice policies. --- ### Key Considerations - **Rego Language**: OPA policies are written in Rego — a declarative logic language. Rego expresses complex rules (e.g., "container images must come from our approved registry and must not run as root") as logical queries. - **Kubernetes Gatekeeper**: The OPA Gatekeeper operator implements [[Kubernetes]] Admission Webhooks using OPA. Every `kubectl apply` runs through Gatekeeper — requests that violate policies are rejected with a clear error message. - **ConstraintTemplates**: Gatekeeper policies are parameterised via ConstraintTemplates (defines the policy logic) and Constraints (applies the policy with parameters). This allows operators to write generic policies and apply them with configuration. - **OPA Sidecar**: For microservice API authorisation, OPA runs as a sidecar. The service asks OPA "can user X do action Y on resource Z?" and gets a binary allow/deny response. - **Conftest**: OPA's testing tool — runs Rego policies against JSON/YAML configs in CI pipelines. Useful for testing [[OpenTofu]] plans and [[Kubernetes]] manifests before deployment. - **vs RBAC**: [[Kubernetes]] RBAC controls what subjects can do with Kubernetes API objects. OPA/Gatekeeper controls what properties those objects are allowed to have — a complementary layer. --- ### How It Fits ``` `kubectl apply` / API request → OPA Gatekeeper (admission webhook, evaluates Rego) → [[Keycloak]] (provides identity claims OPA evaluates) → [[Falco]] (runtime enforcement after OPA admission) ``` [[Keycloak]] | [[Falco]] | [[Trivy]] | [[Kubernetes]] | [[Open Source Hyperscaler MoC]]