Open Policy Agent (OPA) is an open-source, general-purpose policy engine for cloud-native environments. It is currently an incubating project at the Cloud Native Computing Foundation. 

“The cloud-native ecosystem must provide flexible solutions to control who can do what across modern, microservice deployments because legacy approaches to policy management do not satisfy the requirements of modern environments,” Chris Aniszczyk, CTO/COO of the Cloud Native Computing Foundation, said last year when the foundation accepted the project. “OPA has made strides integrating with Kubernetes through the Gatekeeper project that integrates policy management. Moving OPA to the CNCF Incubator will raise awareness and encourage the development of OPA extensions in and outside the cloud native ecosystem.”

According to the project, different policy languages, models and APIs are used for different products and services. With OPA, users get a unified toolset and framework they can use across the cloud-native stack, the team explained. 

“Whether for one service or for all your services, use OPA to decouple policy from the service’s code so you can release, analyze, and review policies (which security and compliance teams love) without sacrificing availability or performance,” OPA’s website states.

In a recent survey, the team found OPA is used for multiple use cases with 51% of respondents stating they use it for at least two use cases and 29% use it for three more use cases including Kubernetes admission control, microservices API authorization, application authorization and cloud security. 

The latest version of the project, OPA 0.19, was released in April with faster parsing, better errors and more support for WebAssembly. Full details are available here