Stop using a different policy language, policy model, and policy API for every product and service you use. Use OPA for a unified toolset and framework for policy across the cloud native stack.

Whether for one service or for all your services, use OPA to decouple policy from the service's code so you can release, analyze, and review policies (which security and compliance teams love) without sacrificing availability or performance.

Created By

Declarative Policy

Context-aware, Expressive, Fast, Portable

Declarative Policy

Context-aware, Expressive, Fast, Portable

Kubernetes

Envoy

Application

                              
package application.authz

# Everyone can see adopted pets
allowed_pets[pet] {
    some i
    pet := input.pet_list[i]
    pet.up_for_adoption == true
}

# Employees can see all pets.
allowed_pets[pet] {
    [header, payload, signature] := io.jwt.decode(input.token)
    payload.employee == true
    some i
    pet := input.pet_list[i]
}
                              
                            

Declarative. Express policy in a high-level, declarative language that promotes safe, performant, fine-grained controls. Use a language purpose-built for policy in a world where JSON is pervasive. Iterate, traverse hierarchies, and apply 50+ built-ins like string manipulation and JWT decoding to declare the policies you want enforced.

Context-aware. Leverage external information to write the policies you really care about. Stop inventing roles that represent complex relationships that years down the road no one will understand. Instead, write logic that adapts to the world around it and attach that logic to the systems that need it.

Architectural Flexibility

Balance integration, availability, consistency

Daemon

Service

Policy
(Rego)
Data
(JSON)

Deploy OPA as a separate process on the same host as your service. Integrate OPA by changing your service’s code, importing an OPA-enabled library, or using a network proxy integrated with OPA.

Library

Service

Policy
(Rego)
Data
(JSON)

Embed OPA policies into your service. Integrate OPA as a Go library that evaluates policy, or integrate a WebAssembly runtime and use OPA to compile policy to WebAssembly instructions.

Tools for Policy Authoring

IDEs, Sharing, Profiling, Testing, Coverage

Rego Playground for Policy Sharing

VS Code for Policy Authoring

CLI and REPL for complete control

OPA embraces policy-as-code, complete with tools that help people use and understand the policies they put in place. Integrated development environments, testing, profiling, coverage, automated performance tuning, and hot reloading aren’t just things you need for programming--you need them for policy too, and OPA delivers.