Convert Figma logo to code with AI

open-policy-agent logoopa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

9,617
1,332
9,617
385
View on GitHub

Top Related Projects

thanos-io's avatar

thanos

13,054

Highly available Prometheus setup with long term storage capabilities. A CNCF Incubating project.

kubeedge's avatar

kubeedge

6,726

Kubernetes Native Edge Computing Framework (project under CNCF)

falcosecurity's avatar

falco

7,328

Cloud Native Runtime Security

cilium's avatar

cilium

20,022

eBPF-based Networking, Security, and Observability

aquasecurity's avatar

trivy

22,801

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

cncf's avatar

tag-security

2,043

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!

Quick Overview

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that unifies policy enforcement across the stack. It provides a high-level declarative language for specifying policy as code and simple APIs to offload policy decision-making from your software. OPA can be used to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more.

Pros

  • Flexible and domain-agnostic: Can be used for various policy enforcement scenarios across different technologies
  • Declarative policy language (Rego): Easy to write and understand policies
  • Integrates well with existing systems: Provides SDKs for multiple languages and can be deployed as a sidecar or service
  • Strong community support and active development

Cons

  • Learning curve: Rego language and OPA concepts may take time to master
  • Performance overhead: Policy evaluation can add latency to requests in some scenarios
  • Limited built-in integrations: May require custom development for specific use cases
  • Debugging complex policies can be challenging

Code Examples

  1. Basic policy example:
package httpapi.authz

default allow = false

allow {
    input.method == "GET"
    input.path == ["api", "public"]
}

This policy allows GET requests to the "/api/public" endpoint.

  1. Kubernetes admission control:
package kubernetes.admission

deny[msg] {
    input.request.kind.kind == "Pod"
    not input.request.object.spec.securityContext.runAsNonRoot
    msg := "Pods must not run as root"
}

This policy denies the creation of pods that don't have the runAsNonRoot security context set.

  1. Data filtering:
package api.filter

allowed_fields = ["id", "name", "email"]

filter[field] = value {
    field := allowed_fields[_]
    value := input.data[field]
}

This policy filters input data to only include allowed fields.

Getting Started

  1. Install OPA:
curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
chmod 755 ./opa
  1. Write a policy (e.g., example.rego):
package example

default allow = false

allow {
    input.user == "admin"
}
  1. Evaluate a policy:
./opa eval -i input.json -d example.rego "data.example.allow"

For more detailed instructions and examples, refer to the OPA documentation.

Competitor Comparisons

thanos-io logo

thanos

13,054

Highly available Prometheus setup with long term storage capabilities. A CNCF Incubating project.

Pros of Thanos

  • Designed specifically for long-term storage and global querying of Prometheus metrics
  • Provides a unified view of metrics from multiple Prometheus instances
  • Offers advanced features like downsampling and compaction for efficient storage

Cons of Thanos

  • More complex setup and configuration compared to OPA
  • Focused solely on metrics and monitoring, while OPA is a general-purpose policy engine
  • Requires additional infrastructure components (e.g., object storage) for full functionality

Code Comparison

Thanos (querying metrics):

client, err := promapi.NewClient(promapi.Config{Address: "http://thanos-query:9090"})
query := "sum(rate(http_requests_total[5m])) by (job)"
result, _, err := client.Query(context.Background(), query, time.Now())

OPA (evaluating policies):

compiler, err := ast.CompileModules(map[string]string{"policy.rego": policyContent})
query := rego.New(
    rego.Query("data.example.allow"),
    rego.Compiler(compiler),
)
results, err := query.Eval(context.Background())

Both repositories serve different purposes: Thanos focuses on scalable metrics storage and querying, while OPA is a general-purpose policy engine. The code examples demonstrate their distinct use cases.

kubeedge logo

kubeedge

6,726

Kubernetes Native Edge Computing Framework (project under CNCF)

Pros of KubeEdge

  • Designed specifically for edge computing and IoT scenarios
  • Provides seamless integration between cloud and edge devices
  • Supports offline operations and autonomous edge nodes

Cons of KubeEdge

  • More complex setup and configuration compared to OPA
  • Limited to Kubernetes-based environments
  • Steeper learning curve for developers new to edge computing

Code Comparison

KubeEdge configuration example:

apiVersion: cloudcore.config.kubeedge.io/v1alpha1
kind: CloudCore
cloudHub:
  advertiseAddress:
    - 10.10.102.78
  nodeLimit: 100

OPA policy example:

package httpapi.authz

default allow = false

allow {
  input.method == "GET"
  input.path == ["api", "v1", "health"]
}

While both projects serve different purposes, this comparison highlights that KubeEdge is more focused on edge computing infrastructure, while OPA is a general-purpose policy engine. KubeEdge's code typically involves Kubernetes-style configurations, whereas OPA uses its Rego language for defining policies.

falcosecurity logo

falco

7,328

Cloud Native Runtime Security

Pros of Falco

  • Specialized in runtime security and threat detection for containers and cloud-native environments
  • Provides real-time alerts and detailed system call-level visibility
  • Integrates well with Kubernetes and other container orchestration platforms

Cons of Falco

  • More focused on runtime security, less versatile for general policy enforcement
  • Steeper learning curve due to its specific syntax and rule language
  • May have higher resource overhead compared to OPA for certain use cases

Code Comparison

Falco rule example:

- rule: Unauthorized Process
  desc: Detect unauthorized process execution
  condition: spawned_process and not proc.name in (authorized_processes)
  output: Unauthorized process started (user=%user.name command=%proc.cmdline)
  priority: WARNING

OPA policy example:

package example
default allow = false
allow {
    input.user.name == "admin"
    input.request.method == "GET"
    input.request.path == "/api/data"
}

While both tools focus on security and policy enforcement, Falco is more specialized for runtime security and system-level monitoring, whereas OPA offers a more general-purpose policy engine that can be applied to various domains beyond just security.

cilium logo

cilium

20,022

eBPF-based Networking, Security, and Observability

Pros of Cilium

  • Provides comprehensive network security and observability for cloud-native environments
  • Offers eBPF-based networking, security, and observability features
  • Integrates well with Kubernetes and other container orchestration platforms

Cons of Cilium

  • Steeper learning curve due to its complexity and eBPF-based architecture
  • May require more resources to run effectively compared to OPA
  • Limited to network-level policies and doesn't cover application-level authorization

Code Comparison

Cilium (network policy):

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "allow-frontend-to-backend"
spec:
  endpointSelector:
    matchLabels:
      app: backend

OPA (application policy):

package httpapi.authz

default allow = false

allow {
  input.method == "GET"
  input.path == ["api", "public"]
}

While both projects focus on policy enforcement, Cilium operates at the network level using eBPF, whereas OPA is a general-purpose policy engine that can be applied to various domains, including application-level authorization.

aquasecurity logo

trivy

22,801

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Pros of Trivy

  • Specialized in container and filesystem vulnerability scanning
  • Faster scanning speed for container images
  • Easier setup and usage for vulnerability scanning tasks

Cons of Trivy

  • More limited in scope compared to OPA's general policy enforcement
  • Less flexible for custom policy creation and enforcement
  • Primarily focused on security vulnerabilities, not broader policy checks

Code Comparison

Trivy usage:

trivy image python:3.4-alpine

OPA usage:

opa eval -i input.json -d policy.rego "data.example.allow"

Trivy focuses on straightforward vulnerability scanning commands, while OPA requires more complex policy definitions and evaluations.

Summary

Trivy excels in container and filesystem vulnerability scanning with faster performance and easier setup. However, it's more limited in scope compared to OPA's general policy enforcement capabilities. OPA offers greater flexibility for custom policy creation and enforcement across various domains, while Trivy primarily focuses on security vulnerabilities. The choice between the two depends on specific use cases and requirements for policy enforcement versus vulnerability scanning.

cncf logo

tag-security

2,043

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!

Pros of tag-security

  • Broader focus on cloud-native security across multiple projects and technologies
  • Collaborative effort with input from various industry experts and organizations
  • Provides comprehensive security guidelines and best practices for cloud-native environments

Cons of tag-security

  • Less focused on specific policy enforcement mechanisms
  • May have a steeper learning curve for developers new to cloud-native security concepts
  • Updates and changes might be slower due to the collaborative nature of the project

Code comparison

While a direct code comparison is not particularly relevant in this case, we can look at how each project approaches security concepts:

tag-security (from a security assessment template):

threat_scenario:
  description: "Unauthorized access to sensitive data"
  impact: "High"
  mitigations:
    - "Implement strong authentication mechanisms"
    - "Encrypt data at rest and in transit"

OPA (policy example):

package httpapi.authz

default allow = false

allow {
    input.method == "GET"
    input.path == ["public", "health"]
}

The tag-security example focuses on high-level security concepts, while OPA provides specific policy enforcement rules.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

logo Open Policy Agent

Build Status Go Report Card CII Best Practices Netlify Status

Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.

OPA is proud to be a graduated project in the Cloud Native Computing Foundation (CNCF) landscape. For details read the CNCF announcement.

Get started with OPA

  • Write your first Rego policy with the Rego Playground or use it to share your work with others for feedback and support. Have a look at the Access Control examples if you're not sure where to start.
  • Install the VS Code extension to get started locally with live diagnostics, debugging and formatting. See Editor and IDE Support for other supported editors.
  • Go to the OPA Documentation to learn about the Rego language as well as how to deploy and integrate OPA.
  • Check out the learning resources in the Learning Rego section of the ecosystem directory.
  • Follow the Running OPA instructions to get started with the OPA CLI locally.
  • See Docker Hub for container images and the GitHub releases for binaries.
  • Check out the OPA Roadmap to see a high-level snapshot of OPA features in-progress and planned.

Want to talk about OPA or get support?

Interested to learn what others are doing with OPA?

  • Browse community projects on the OPA Ecosystem Directory - don't forget to list your own!
  • Check out the ADOPTERS.md file for a list of production adopters. Does your organization use OPA in production? Support the OPA project by submitting a PR to add your organization to the list with a short description of your OPA use cases!

Want to integrate OPA?

  • See the high-level Go SDK or the low-level Go API GoDoc to integrate OPA with services written in Go.
  • See the REST API reference to integrate OPA with services written in other languages.
  • See the integration docs for more options.

Want to contribute to OPA?

How does OPA work?

OPA gives you a high-level declarative language to author and enforce policies across your stack.

With OPA, you define rules that govern how your system should behave. These rules exist to answer questions like:

  • Can user X call operation Y on resource Z?
  • What clusters should workload W be deployed to?
  • What tags must be set on resource R before it's created?

You integrate services with OPA so that these kinds of policy decisions do not have to be hardcoded in your service. Services integrate with OPA by executing queries when policy decisions are needed.

When you query OPA for a policy decision, OPA evaluates the rules and data (which you give it) to produce an answer. The policy decision is sent back as the result of the query.

For example, in a simple API authorization use case:

  • You write rules that allow (or deny) access to your service APIs.
  • Your service queries OPA when it receives API requests.
  • OPA returns allow (or deny) decisions to your service.
  • Your service enforces the decisions by accepting or rejecting requests accordingly.

For concrete examples of how to integrate OPA with systems like Kubernetes, Terraform, Docker, SSH, and more, see openpolicyagent.org.

Presentations

  • Open Policy Agent (OPA) Intro & Deep Dive @ Kubecon NA 2023: video
  • Open Policy Agent (OPA) Intro & Deep Dive @ Kubecon EU 2023: video
  • Running Policy in Hard to Reach Places with WASM & OPA @ CN Wasm Day EU 2023: video
  • OPA maintainers talk @ Kubecon NA 2022: video
  • Open Policy Agent (OPA) Intro & Deep Dive @ Kubecon EU 2022: video
  • Open Policy Agent Intro @ KubeCon EU 2021: Video
  • Using Open Policy Agent to Meet Evolving Policy Requirements @ KubeCon NA 2020: video
  • Applying Policy Throughout The Application Lifecycle with Open Policy Agent @ CloudNativeCon 2019: video
  • Open Policy Agent Introduction @ CloudNativeCon EU 2018: video, slides
  • Rego Deep Dive @ CloudNativeCon EU 2018: video, slides
  • How Netflix Is Solving Authorization Across Their Cloud @ CloudNativeCon US 2017: video, slides.
  • Policy-based Resource Placement in Kubernetes Federation @ LinuxCon Beijing 2017: slides, screencast
  • Enforcing Bespoke Policies In Kubernetes @ KubeCon US 2017: video, slides
  • Istio's Mixer: Policy Enforcement with Custom Adapters @ CloudNativeCon US 2017: video, slides

Security

A third party security audit was performed by Cure53, you can see the full report here.

Please report vulnerabilities by email to open-policy-agent-security. We will send a confirmation message to acknowledge that we have received the report and then we will send additional messages to follow up once the issue has been investigated.