Inferensys

Glossary

Open Policy Agent (OPA)

A general-purpose policy engine that decouples policy decisions from application logic, allowing unified, context-aware authorization across a cloud-native stack using the Rego language.
Developer reviewing semantic search engine results on laptop, relevance scores visible, technical search demo.
UNIFIED POLICY ENGINE

What is Open Policy Agent (OPA)?

A general-purpose policy engine that decouples policy decisions from application logic, enabling unified, context-aware authorization across the cloud-native stack.

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that decouples policy decisions from application business logic. It provides a unified framework for defining and enforcing authorization rules as code across an entire distributed system, from API gateways and Kubernetes admission control to microservice sidecars. By externalizing policy, OPA allows operators to change security and compliance rules without modifying or redeploying the underlying services.

Policies in OPA are written in Rego, a declarative, high-level language purpose-built for expressing complex rules over structured hierarchical data. An application queries OPA by sending a JSON payload representing the current state of a request, and OPA evaluates the input against its loaded policies to return an allow or deny decision. This architecture creates a single, auditable source of truth for authorization logic, replacing fragmented, hard-coded permission checks with a centralized, version-controllable policy control plane.

UNIFIED POLICY ENGINE

Core Characteristics of OPA

Open Policy Agent decouples policy decisions from application logic, enabling unified, context-aware authorization across the entire cloud-native stack using the declarative Rego language.

01

Decoupled Decision-Making

OPA externalizes authorization logic from the application codebase. Instead of embedding complex if-else blocks, services query OPA via a local sidecar or daemon. This separation allows policy updates without recompiling, redeploying, or restarting the application. The application sends a structured JSON query, and OPA returns a simple allow/deny decision, keeping business logic clean and maintainable.

02

Rego Policy Language

Policies are expressed in Rego, a high-level declarative language purpose-built for expressing rules over complex hierarchical data. Rego queries inspect the structure of JSON input to make decisions.

  • Declarative: You define what the policy is, not how to enforce it.
  • Iterative Evaluation: Rego uses a unified syntax for queries and rules.
  • Built-in Functions: Includes over 150 built-ins for string manipulation, JWT verification, and cryptographic hashing.
03

Context-Aware Authorization

OPA evaluates policies against the full context of an API request, not just the user's role. This enables Attribute-Based Access Control (ABAC).

  • Data Injection: OPA can pull in external data (e.g., real-time threat feeds, inventory levels) at decision time.
  • Multi-Dimensional: Decisions can factor in the request path, HTTP method, time of day, IP geolocation, and resource ownership simultaneously.
  • Example: A policy might allow a POST to /api/orders only if the user is in the fulfillment group and the request originates from a corporate IP range during business hours.
04

Kubernetes Admission Control

OPA Gatekeeper is a specialized Kubernetes admission controller that enforces Custom Resource Definitions (CRDs) via Rego policies. It validates, mutates, or rejects resource creation before objects are persisted to etcd.

  • Constraint Templates: Define reusable policy schemas.
  • Audit Functionality: Periodically evaluates existing cluster resources against current policies to detect historical violations.
  • Common Use Cases: Enforcing mandatory container image registries, denying privileged pods, and requiring specific labels on namespaces.
05

Infrastructure as Code (IaC) Policy Checks

OPA evaluates static infrastructure manifests (Terraform, CloudFormation, Kubernetes YAML) before deployment to prevent misconfigurations. This shifts security left by catching violations in CI/CD pipelines.

  • Terraform Integration: The terraform plan output is passed to OPA to deny non-compliant resources.
  • Regal Linter: A dedicated linter for Rego policies ensures best practices are followed in the policies themselves.
  • Example Rule: Deny any AWS S3 bucket with public-read ACL or an unencrypted block device.
06

Service Mesh Authorization

OPA integrates as an external authorizer for service meshes like Envoy and Istio. Instead of relying solely on mTLS identity, OPA applies fine-grained Rego policies to every inter-service request at the proxy level.

  • Envoy External Authorization: The ext_authz filter offloads decision-making to an OPA instance.
  • API Gateway: OPA can authorize requests at the edge, validating JWT claims and API keys before traffic reaches internal services.
  • Dynamic Control: API access rules can be updated instantly without restarting the sidecar proxies.
POLICY AS CODE

Frequently Asked Questions

Clear, technical answers to the most common questions about Open Policy Agent, its architecture, and its role in unified authorization for sovereign infrastructure.

Open Policy Agent (OPA) is a general-purpose policy engine that decouples policy decisions from application logic, enabling unified, context-aware authorization across the entire cloud-native stack. It works by evaluating structured input data—typically JSON—against policies written in a declarative language called Rego. When an application or service needs an authorization decision, it queries OPA via a REST API or the Go library, sending the current state of the request as JSON. OPA then evaluates the input against the pre-loaded Rego policies and returns an allow or deny decision, along with any arbitrary structured output. This architecture centralizes policy logic, making it auditable, version-controllable, and consistently enforced across API gateways, Kubernetes admission control, service meshes, and CI/CD pipelines without embedding authorization logic in each service.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.