The Cloud Native Computing Foundation (CNCF) has announced that Open Policy Agent (OPA) is graduating. Graduation from the CNCF indicates that a project has shown “widespread adoption, an open governance process, feature maturity, and a strong commitment to community, sustainability, and inclusivity,” according to the CNCF. 

OPA is a tool for ensuring policy across an organization in a context-aware way. According to the project, it eliminates the need to use a different policy language, model, and API for every different service used in an organization. 

“As the cloud native ecosystem grows, it’s more important than ever for organizations to have access to policy enforcement tools built for modern cloud native deployments,” said Chris Aniszczyk, CTO of the CNCF. “Since joining CNCF, OPA has expanded to integrate with many of today’s most widely used tools and technologies and its broad adoption reflects its versatility across a wide variety of use cases.” 

The project was first admitted into the CNCF in April 2018 as a sandbox project and was promoted to incubation in 2019. OPA has over 90 individual contributors from 30 organizations, and is maintained by developers from Google, Microsoft, VMware, and Styra. 

In addition, the project underwent two external security audits while at the CNCF, and it completed the SIG-Security assessment process. The OPA team defined a vulnerability disclosure process and security response team that includes individuals from three current maintainer organizations. 

“When we started OPA, we knew that policy and authorization were going to become more critical than ever, due to heterogeneous and complex app deployments,” said Torin Sandall, co-founder of OPA and VP of open source at Styra. “We also knew we’d need the support of the community for integrations, performance, and knowledge-sharing. It’s thanks to this amazing group of folks that OPA today has become a graduated project and the de facto toolset and framework for expressing authorization policy across the stack.”