// the find
open-policy-agent/opa
Open Policy Agent (OPA) is an open source, general-purpose policy engine.
OPA is a general-purpose policy engine that lets you write authorization and compliance rules in Rego, a purpose-built declarative language, and enforce them across Kubernetes admission, API gateways, Terraform, or any service that can make an HTTP call. It's CNCF-graduated and in production at Netflix, Atlassian, and many others. The target audience is platform/infra engineers who are tired of baking authorization logic into every service.
Rego's datalog-inspired evaluation model handles recursive and set-based policy questions that would be ugly conditional trees in any general-purpose language. The capabilities versioning system (100+ snapshot JSON files going back to v0.17) means you can pin policy evaluation to a specific OPA version's built-in set, which matters for reproducible compliance audits. The bundle system with signed bundles and HMAC verification gives you a real supply-chain story for distributing policies to agents. The built-in debugger and VS Code extension with live diagnostics are genuinely useful — Rego is confusing at first and tooling matters.
Rego has a steep learning curve that the project somewhat undersells. The logical variable unification model trips up anyone coming from imperative languages, and error messages when a rule silently produces `undefined` instead of `false` are not helpful. OPA's data model is purely JSON — no typed schemas at the engine level — so large policy suites tend to grow implicit structural contracts that break silently when input shapes change. Running OPA as a sidecar per service works but adds latency on the policy decision path; the WASM compilation target exists as an alternative but the wasm binary sizes are large and the feature set lags the main engine. The REST API bundle polling model means there's always a window where an agent has stale policy, and the default configuration makes that window invisible.