OPA Ecosystem / REST API Integrations

REST API Integrations

Kubernetes Admission Control

Styra, Microsoft and Google

The Kubernetes API server can be configured to use OPA as an admission controller. Creating a ValidatingWebhookConfiguration resource can be used to query OPA for policy decisions.
View Kubernetes Admission Control Details

Container Network Authorization with Envoy

Official OPA Envoy Integration by Styra

The opa-envoy-plugin project uses the REST API to allow and deny requests routed via an Envoy proxy.

Read about this integration in the OPA Docs.

View Details

Authorization for Spring Security

Styra, build.security, Bisnode and AlertAVert.com

OPA Spring Security uses the REST API to query OPA about authz decisions. See an example application in OPA’s contrib repo.
View Details

Kafka Topic Authorization

TicketMaster and Styra

This project implements a custom Kafka authorizer that uses OPA to make authorization decisions by calling the REST API.

Installation and configuration instructions are available in the project’s README.

View Kafka Topic Authorization Details

PHP OPA Library


This library provides a PHP wrapper around the OPA REST API. It can update policies and query for decisions. See the project README for various examples.
View PHP OPA Library Details

Strimzi (Apache Kafka on Kubernetes)


Strimzi can be configured to use OPA via the REST API as the Kafka authorizer using this project.
View Details

Authorization Integration with Apache APISIX

Apache APISIX routes can be configured to call an OPA instance over the REST API. This blog post explains how such a configuration can be achieved.
View Details

AWS CloudFormation Hook


The OPA CloudFormation Hook uses AWS Lambda to consult an OPA instance using the REST API before allowing a CloudFormation stack to be created.

Read the tutorial here in the OPA documentation.

View AWS CloudFormation Hook Details

i2scim.io SCIM Restful User/Group Provisioning API

Independent Identity

i2scim supports externalized access control decisions using OPA’s REST API. The integration is described in the i2scim documentation.
View Details

Kubernetes Authorization


The Kubernetes API server can be configured to use OPA as an authorization webhook. Such an integration can be configured by following the documentation in the contrib repo.
View Kubernetes Authorization Details


Open Policy Administration Layer by Permit.io

OPAL uses the OPA REST API to update the policy and data pushed down from the OPAL server. See how this works.
View OPAL Details


SPIRE can work in tandem with the Envoy proxy to integrate with the OPA REST API. See the tutorial here.
View SPIRE Details

walt.id SSI Kit

Self-Sovereign Identity toolkit with OPA policy support by walt.id, Blockchain Lab:UM and Netis

SSI Kit’s CLI exposes policy management commands which update a local OPA instance. The feature is documented in the walt.id docs.
View walt.id SSI Kit Details

Boomerang Bosun Policy Gating

IBM and Boomerang

The Boomerang Bosun Service component interacts with an OPA instance over the REST API to evaluate policy during CICD runs.
View Boomerang Bosun Policy Gating Details

Bottle Application Authorization

Dolev Farhi

This sample python application calls has a middleware to call OPA before processing each request. See the example code.
View Details

Kubernetes Admission Control using Vulnerability Scanning

This example project in OPA contrib uses OPA over the REST API to enforce admission policy based on vulnerability scanning results.
View Details

Minio API Authorization

Minio and Styra

Minio implements a native integration with OPA using the REST API. The integration is documented in the Minio docs.
View Minio API Authorization Details

NodeJS Express (build-security)


This project provides a middleware that can query an OPA server for policy decisions. See the project’s README for a js simple example.
View Details

Integrations are ordered by the amount of linked content.

Do you have an OPA-based project or integration to share? Follow these instructions to get it listed or go to the #ecosystem channel in the OPA Slack if you have any questions.