Open Policy Agent (OPA)

Policy-based control for cloud native environments

  • Can be used generally with structured data, not only with Kubernetes

  • Uses Rego DSL for its policies

  • Rego is for data queries, it's not general purpose language

  • Can be used to validate manifests, for example "Container must provide app label for pod selectors"

  • Output JSON can passed to external systems, like Gatekeeper

    • Or just respond with AdmissionReview Kubernetes object, so OPA can be plugged to Admission Controller


  • Provides more "Kubernetes-native" abstraction and functionalities over OPA

  • Policies are stored as CRDs

  • Constraint Templates

    • Enables you to provide a policy and pass variables during the valuation

  • Gatekeeper provides a library for couple of policy types like PSPs

  • Validating PSPs with web hooks might provide better UX, because apiserver rejects the object instantly, not only then when pod starts

  • Above-mentioned functionality does not use PSPs in the backend, but OPA implements PSP-like behavior


Write tests against structured configuration data using the Open Policy Agent Rego query language

  • Policies can be bundled and pushed to registry (like Harbor)

  • Can be run in CI for getting feedback before applying manifests to cluster

  • For example can be used to check Kubernetes API deprecations (

Use Conftest and OPA for Dockerfile checks

Use conftest to validate Terraform code


Last updated