DevOps Glossary

Open Policy Agent (OPA) is an open-source policy engine that lets you define and enforce rules as code across systems such as Kubernetes, CI/CD pipelines, APIs, and cloud infrastructure. OPA separates policy decisions from application logic: a service sends structured input, often JSON, to OPA, and OPA evaluates it against policies written in Rego to return an allow, deny, or more detailed decision. Teams use Open Policy Agent to control actions like who can deploy to production, whether a Kubernetes pod may run as privileged, or whether Terraform changes meet security requirements. In Kubernetes, Gatekeeper uses OPA to enforce admission policies before resources are created. OPA is flexible and works across many platforms, while services like Azure Policy focus on governance inside a specific cloud provider. Its main benefit is consistent, version-controlled policy enforcement, but teams need to learn Rego and maintain policies carefully to avoid blocking valid work.