Open Policy Agent (OPA) is an open source, general-purpose policy engine.
-
Updated
Jun 12, 2024 - Go
The Open Policy Agent (OPA, pronounced “oh-pa”) is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that lets you specify policy as code and simple APIs to offload policy decision-making from your software. You can use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more.
What is OPA
Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Write tests against structured configuration data using the Open Policy Agent Rego query language
Integrations, examples, and proof-of-concepts that are not part of OPA proper.
An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
A policy management tool for interacting with Gatekeeper
Traefik plugin which checks JWT tokens for required fields. Supports Open Policy Agent (OPA) and signature validation with JWKS
Regal is a linter for Rego, with the goal of making your Rego magnificent!
OPA-Envoy-SPIRE External Authorization Example.
This is just a proof-of-concept project that aims to sign and verify container images using cosign and OPA (Open Policy Agent)
Experimental AWS ApiGateway Authorizer Go Lambda with embedded Open Policy Agent
Kubernetes Operator to manage Dynamic Admission Controllers using Open Policy Agent
mesh-kridik is an open-source security checker that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.
Watch your in cluster Kubernetes manifests for OPA policy violations and export them as Prometheus metrics
Audit Dependency-Track findings and policy violations via policy as code
Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.
Todo App
OPA Dependency Manager (ODM)
A e2e demo of serverless technologies
Create Kubernetes AdmissionReview requests from Kubernetes resource manifests
HTTP/3-enable existing HTTP apps. Leverage HTTP3 native features and auto-enable workload identity (SPIFFE), AuthN (mTLS/x509, OIDC/Auth0-Okta), AuthZ (OPA), defense-in-depth (WAAP/WAF), and observability (metrics, logs, alerting, dashboard).