https://backend-engineering-strategy-tools.github.io/site/tags/opa/Recent content in Opa on Backend Engineering Strategy ToolsHugo -- gohugo.ioen-usTue, 09 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/overview/Tue, 09 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/overview/<p>Encoding compliance, security, and operational rules as version-controlled, testable code — evaluated at the point where things are created or changed rather than audited after the fact.</p> <p>The alternative is manual review and reactive alerts. Policy as code shifts that left: rules are explicit, reviewable, and enforced automatically.</p> <h2 id="enforcement-points">Enforcement points </h2><p>The same policy intent can be applied at three different points in the lifecycle:</p> <p><strong>CI/CD gate</strong> — evaluate before anything reaches the cluster. Fail the pipeline on violations. Tools: Conftest, Checkov, Trivy IaC. Lowest blast radius, fastest feedback loop.</p> <p><strong>Cluster admission</strong> — intercept every <code>kubectl apply</code> at the API server. No non-compliant resource can be created or updated. Tools: Kyverno, Gatekeeper (OPA), K8s-native ValidatingAdmissionPolicy.</p> <p><strong>Runtime / drift detection</strong> — continuously evaluate live state against policy and surface violations. Catches things that predate the policy, or that arrived outside normal pipelines. Tools: OPA, AWS Config, Kyverno audit mode.</p> <p>Most teams layer these: CI catches the obvious mistakes early and cheap, admission control enforces hard requirements at the cluster boundary, audit mode gives visibility into what is already out of compliance.</p> <h2 id="how-the-tools-relate">How the tools relate </h2><p>OPA is the common engine underneath Gatekeeper and Conftest. Rego is its policy language — learn it once and it applies across both. Kyverno is a separate engine that replaces Rego with Kubernetes-native YAML; lower barrier to entry, but the policy language does not transfer outside K8s. The K8s-native ValidatingAdmissionPolicy uses CEL, a simpler expression language built into the API server — no extra install, but limited to validation and basic mutation.</p> <pre tabindex="0"><code>Policy intent ├── CI/CD gate → Conftest (Rego) / Checkov / Trivy IaC ├── K8s admission → Kyverno (YAML) / Gatekeeper (Rego) / VAP (CEL) └── Runtime → OPA server / Kyverno audit / AWS Config </code></pre><h2 id="to-explore">To explore </h2><ul> <li><strong>Rego standalone</strong> — eval policies against arbitrary JSON input using <code>opa eval</code> and the REPL, without Kubernetes. Good way to learn the language in isolation before wiring it into a pipeline or cluster. See the <a class="link" href="https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/opa/" >OPA &amp; Rego</a> note.</li> </ul>https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/conftest/Mon, 08 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/conftest/<p>Conftest is a CLI tool that runs OPA policies against structured config files — Kubernetes manifests, Terraform plans, Helm output, Dockerfiles, GitHub Actions workflows, anything that can be parsed. It is the CI/CD enforcement layer on top of Rego.</p> <p>Write a policy once in Rego, run <code>conftest test</code> in your pipeline, fail the build if violations are found.</p> <h2 id="install">Install </h2><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>brew install conftest </span></span></code></pre></div><h2 id="basic-usage">Basic usage </h2><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Test a Kubernetes manifest</span> </span></span><span style="display:flex;"><span>conftest test deployment.yaml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test all YAML in a directory</span> </span></span><span style="display:flex;"><span>conftest test k8s/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test a Terraform plan (JSON output)</span> </span></span><span style="display:flex;"><span>terraform show -json tfplan &gt; tfplan.json </span></span><span style="display:flex;"><span>conftest test tfplan.json --parser json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test Helm-rendered output</span> </span></span><span style="display:flex;"><span>helm template my-app ./chart | conftest test - </span></span></code></pre></div><p>By default Conftest looks for policies in <code>./policy/</code>. Change with <code>--policy</code>.</p> <h2 id="policy-structure">Policy structure </h2><p>Policies are Rego files in the <code>policy/</code> directory. Conftest checks for <code>deny</code>, <code>warn</code>, and <code>violation</code> rules.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-rego" data-lang="rego"><span style="display:flex;"><span><span style="color:#75715e"># policy/k8s.rego</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">package</span> <span style="color:#a6e22e">main</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># deny blocks the pipeline</span> </span></span><span style="display:flex;"><span>deny <span style="color:#66d9ef">contains</span> <span style="color:#a6e22e">msg</span> <span style="color:#66d9ef">if</span> { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">input</span><span style="color:#f92672">.</span><span style="color:#a6e22e">kind</span> <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;Deployment&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">not</span> <span style="color:#a6e22e">input</span><span style="color:#f92672">.</span><span style="color:#a6e22e">spec</span><span style="color:#f92672">.</span><span style="color:#a6e22e">template</span><span style="color:#f92672">.</span><span style="color:#a6e22e">spec</span><span style="color:#f92672">.</span><span style="color:#a6e22e">securityContext</span><span style="color:#f92672">.</span><span style="color:#a6e22e">runAsNonRoot</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">msg</span> <span style="color:#f92672">:=</span> <span style="color:#a6e22e">sprintf</span>(<span style="color:#e6db74">&#34;Deployment %v must set runAsNonRoot&#34;</span><span style="color:#f92672">,</span> [<span style="color:#a6e22e">input</span><span style="color:#f92672">.</span><span style="color:#a6e22e">metadata</span><span style="color:#f92672">.</span><span style="color:#a6e22e">name</span>]) </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># warn prints a warning but does not fail</span> </span></span><span style="display:flex;"><span>warn <span style="color:#66d9ef">contains</span> <span style="color:#a6e22e">msg</span> <span style="color:#66d9ef">if</span> { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">input</span><span style="color:#f92672">.</span><span style="color:#a6e22e">kind</span> <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;Deployment&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">not</span> <span style="color:#a6e22e">input</span><span style="color:#f92672">.</span><span style="color:#a6e22e">metadata</span><span style="color:#f92672">.</span><span style="color:#a6e22e">labels</span>[<span style="color:#e6db74">&#34;app.kubernetes.io/version&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">msg</span> <span style="color:#f92672">:=</span> <span style="color:#a6e22e">sprintf</span>(<span style="color:#e6db74">&#34;Deployment %v is missing version label&#34;</span><span style="color:#f92672">,</span> [<span style="color:#a6e22e">input</span><span style="color:#f92672">.</span><span style="color:#a6e22e">metadata</span><span style="color:#f92672">.</span><span style="color:#a6e22e">name</span>]) </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><pre tabindex="0"><code>$ conftest test deployment.yaml FAIL - deployment.yaml - main - Deployment nginx must set runAsNonRoot WARN - deployment.yaml - main - Deployment nginx is missing version label 2 tests, 0 passed, 1 warning, 1 failure </code></pre><h2 id="namespaces">Namespaces </h2><p>Use <code>--namespace</code> to scope which Rego package Conftest evaluates. Useful when you have per-resource-type policies in separate packages.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>conftest test deployment.yaml --namespace kubernetes.deployments </span></span></code></pre></div><h2 id="multiple-parsers">Multiple parsers </h2><p>Conftest supports many input formats. Common ones:</p> <table> <thead> <tr> <th>Flag</th> <th>Parses</th> </tr> </thead> <tbody> <tr> <td><code>--parser yaml</code></td> <td>YAML (default for <code>.yaml</code>/<code>.yml</code>)</td> </tr> <tr> <td><code>--parser json</code></td> <td>JSON, Terraform plan</td> </tr> <tr> <td><code>--parser hcl2</code></td> <td>Terraform HCL</td> </tr> <tr> <td><code>--parser dockerfile</code></td> <td>Dockerfiles</td> </tr> <tr> <td><code>--parser toml</code></td> <td>TOML</td> </tr> </tbody> </table> <h2 id="sharing-policies">Sharing policies </h2><p>Policies can be distributed as OCI artifacts and pulled with <code>conftest pull</code>.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>conftest pull ghcr.io/myorg/policies:latest </span></span><span style="display:flex;"><span>conftest test deployment.yaml </span></span></code></pre></div><p>The <a class="link" href="https://www.conftest.dev/sharing/" target="_blank" rel="noopener" >Conftest policy hub</a> documents the format. Useful for sharing a common policy library across repos without copy-pasting Rego.</p> <h2 id="in-ci">In CI </h2><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#75715e"># GitHub Actions example</span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Policy check</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> conftest test k8s/ --policy policy/</span> </span></span></code></pre></div><p>Exits non-zero on <code>deny</code> violations. <code>warn</code> violations print but do not fail the build — useful for phased enforcement (warn first, deny later).</p> <h2 id="resources">Resources </h2><ul> <li><a class="link" href="https://www.conftest.dev/" target="_blank" rel="noopener" >Conftest documentation</a></li> <li><a class="link" href="https://github.com/open-policy-agent/conftest" target="_blank" rel="noopener" >Conftest GitHub</a></li> <li><a class="link" href="https://github.com/open-policy-agent/conftest/tree/master/examples" target="_blank" rel="noopener" >Example policies</a></li> </ul>https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/kubernetes-policy/Mon, 08 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/kubernetes-policy/<p>Kubernetes has three distinct policy enforcement mechanisms. They sit at the same point in the request lifecycle — the admission controller — but differ in language, capability, and operational complexity.</p> <table> <thead> <tr> <th></th> <th>Kyverno</th> <th>Gatekeeper (OPA)</th> <th>ValidatingAdmissionPolicy</th> </tr> </thead> <tbody> <tr> <td>Language</td> <td>YAML/JMESPath</td> <td>Rego</td> <td>CEL</td> </tr> <tr> <td>Native to K8s</td> <td>No (CRD)</td> <td>No (CRD)</td> <td>Yes (built-in)</td> </tr> <tr> <td>Validate</td> <td>Yes</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>Mutate</td> <td>Yes</td> <td>Limited</td> <td>Yes (1.32+)</td> </tr> <tr> <td>Generate</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>Image verify</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>GA since</td> <td>—</td> <td>—</td> <td>K8s 1.30</td> </tr> <tr> <td>Good for</td> <td>Full-featured, K8s-native feel</td> <td>Rego-first teams, policy-as-data</td> <td>Simple rules, no extra install</td> </tr> </tbody> </table> <h2 id="validatingadmissionpolicy-vap">ValidatingAdmissionPolicy (VAP) </h2><p>Added in Kubernetes 1.26, <strong>GA in 1.30</strong>. Policies are built into the API server — no admission controller to deploy or maintain. Policy is written in <strong>CEL</strong> (Common Expression Language), a simple expression language also used in Kubernetes&rsquo; <code>x-kubernetes-validations</code> CRD validation.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">admissionregistration.k8s.io/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ValidatingAdmissionPolicy</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;require-run-as-non-root&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">failurePolicy</span>: <span style="color:#ae81ff">Fail</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchConstraints</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">resourceRules</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">apiGroups</span>: [<span style="color:#e6db74">&#34;apps&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">apiVersions</span>: [<span style="color:#e6db74">&#34;v1&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">operations</span>: [<span style="color:#e6db74">&#34;CREATE&#34;</span>, <span style="color:#e6db74">&#34;UPDATE&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">resources</span>: [<span style="color:#e6db74">&#34;deployments&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">validations</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">expression</span>: &gt;<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> object.spec.template.spec.securityContext.runAsNonRoot == true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">message</span>: <span style="color:#e6db74">&#34;Pods must run as non-root&#34;</span> </span></span><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">admissionregistration.k8s.io/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ValidatingAdmissionPolicyBinding</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;require-run-as-non-root-binding&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">policyName</span>: <span style="color:#e6db74">&#34;require-run-as-non-root&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">validationActions</span>: [<span style="color:#ae81ff">Deny]</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchResources</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">namespaceSelector</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchLabels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">enforce-policy</span>: <span style="color:#e6db74">&#34;true&#34;</span> </span></span></code></pre></div><p>The <code>ValidatingAdmissionPolicyBinding</code> scopes where a policy applies — cluster-wide, specific namespaces, or by label selector.</p> <h3 id="cel-basics">CEL basics </h3><p>CEL expressions have access to <code>object</code> (the incoming resource), <code>oldObject</code> (for updates), <code>request</code> (metadata, user, etc.), and <code>params</code> (a referenced ConfigMap or CRD for parameterisation).</p> <pre tabindex="0"><code># Simple field check object.spec.replicas &lt;= 10 # Nested optional field (use ?. for optional traversal) object.spec.template.spec.?securityContext.?runAsNonRoot == optional.of(true) # List comprehension — all containers must have limits object.spec.template.spec.containers.all(c, has(c.resources) &amp;&amp; has(c.resources.limits) ) # String operations object.metadata.name.startsWith(&#34;prod-&#34;) </code></pre><h3 id="mutatingadmissionpolicy">MutatingAdmissionPolicy </h3><p>Added in Kubernetes 1.32 (alpha). Brings CEL-based mutation — set defaults, inject labels, patch fields — without Kyverno or a webhook. Still early; not production-ready yet.</p> <h2 id="gatekeeper">Gatekeeper </h2><p>OPA running as a Kubernetes admission controller. Policies are written in Rego and stored as <code>ConstraintTemplate</code> CRDs. The separation between template (the Rego logic) and constraint (the enforcement configuration + parameters) is the key design pattern.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">templates.gatekeeper.sh/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ConstraintTemplate</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">k8srequiredlabels</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">crd</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">names</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kind</span>: <span style="color:#ae81ff">K8sRequiredLabels</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">validation</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">openAPIV3Schema</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">properties</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">type</span>: <span style="color:#ae81ff">array</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">items</span>: {<span style="color:#f92672">type</span>: <span style="color:#ae81ff">string}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">targets</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">target</span>: <span style="color:#ae81ff">admission.k8s.gatekeeper.sh</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">rego</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> package k8srequiredlabels </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> violation[{&#34;msg&#34;: msg}] { </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> provided := {label | input.review.object.metadata.labels[label]} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> required := {label | label := input.parameters.labels[_]} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> missing := required - provided </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> count(missing) &gt; 0 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> msg := sprintf(&#34;missing required labels: %v&#34;, [missing]) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> }</span> </span></span><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">constraints.gatekeeper.sh/v1beta1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">K8sRequiredLabels</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">require-team-label</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">match</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">apiGroups</span>: [<span style="color:#e6db74">&#34;&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: [<span style="color:#e6db74">&#34;Namespace&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">parameters</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: [<span style="color:#e6db74">&#34;team&#34;</span>, <span style="color:#e6db74">&#34;environment&#34;</span>] </span></span></code></pre></div><p>Gatekeeper also supports <strong>audit mode</strong> — it continuously evaluates existing resources against policies and surfaces violations without blocking. Useful for measuring compliance against policies you&rsquo;re not yet ready to enforce.</p> <h3 id="gatekeeper-vs-kyverno">Gatekeeper vs Kyverno </h3><p>Kyverno is better if your team does not know Rego and wants policies that look like Kubernetes manifests. Gatekeeper is better if you are already invested in OPA/Rego and want a single policy language across K8s and non-K8s surfaces (via Conftest).</p> <p>The K8s-native VAP is the right default for simple validation rules on new clusters — no extra install, but it does not cover mutation (until 1.32+), generation, or image verification.</p> <h2 id="resources">Resources </h2><ul> <li><a class="link" href="https://open-policy-agent.github.io/gatekeeper/" target="_blank" rel="noopener" >Gatekeeper documentation</a></li> <li><a class="link" href="https://github.com/open-policy-agent/gatekeeper-library" target="_blank" rel="noopener" >Gatekeeper library</a> — ready-made ConstraintTemplates</li> <li><a class="link" href="https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/" target="_blank" rel="noopener" >ValidatingAdmissionPolicy docs</a></li> <li><a class="link" href="https://kubernetes.io/docs/reference/using-api/cel/" target="_blank" rel="noopener" >CEL in Kubernetes</a></li> <li><a class="link" href="https://backend-engineering-strategy-tools.github.io/site/public-notes/kubernetes/kyverno/" >Kyverno</a> — separate note</li> </ul>https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/opa/Mon, 08 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/opa/<p>OPA (Open Policy Agent) is a general-purpose policy engine. It takes structured input (JSON), evaluates it against a policy written in Rego, and returns a decision. It does not care what the input represents — Kubernetes resources, Terraform plans, HTTP requests, CI artifacts — anything you can express as JSON.</p> <p>Rego is the query language OPA uses to express policy. It is declarative and logic-based (Datalog-inspired), which is a different mental model from imperative code. The learning curve is real but the payoff is policies that are testable, composable, and auditable.</p> <h2 id="install">Install </h2><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>brew install opa </span></span></code></pre></div><p>Or download a binary from <a class="link" href="https://github.com/open-policy-agent/opa/releases" target="_blank" rel="noopener" >github.com/open-policy-agent/opa/releases</a>. No dependencies.</p> <h2 id="standalone-eval">Standalone eval </h2><p>The fastest way to learn Rego is the REPL and the <code>eval</code> command — no Kubernetes, no Conftest, just OPA and a policy file.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Interactive REPL</span> </span></span><span style="display:flex;"><span>opa run </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Eval a query against a policy file and input</span> </span></span><span style="display:flex;"><span>opa eval <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --data policy.rego <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --input input.json <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;data.mypackage.allow&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Run tests</span> </span></span><span style="display:flex;"><span>opa test ./policies/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Run tests with coverage</span> </span></span><span style="display:flex;"><span>opa test --coverage ./policies/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check syntax without evaluating</span> </span></span><span style="display:flex;"><span>opa check policy.rego </span></span></code></pre></div><h3 id="repl-basics">REPL basics </h3><pre tabindex="0"><code>&gt; data # inspect all loaded data &gt; input # inspect current input &gt; x := {&#34;a&#34;: 1}; x.a == 1 # inline assignment and check &gt; :help </code></pre><h2 id="rego-basics">Rego basics </h2><p>A policy file is a package with rules. Rules are boolean expressions — they are <code>true</code> when all conditions in the body hold.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-rego" data-lang="rego"><span style="display:flex;"><span><span style="color:#66d9ef">package</span> <span style="color:#a6e22e">mypackage</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># default value when no rule fires</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">default</span> <span style="color:#a6e22e">allow</span> <span style="color:#f92672">:=</span> <span style="color:#66d9ef">false</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># allow if both conditions hold</span> </span></span><span style="display:flex;"><span>allow <span style="color:#66d9ef">if</span> { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">input</span><span style="color:#f92672">.</span><span style="color:#a6e22e">user</span> <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;admin&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">input</span><span style="color:#f92672">.</span><span style="color:#a6e22e">action</span> <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;read&#34;</span> </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h3 id="sets-and-comprehensions">Sets and comprehensions </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-rego" data-lang="rego"><span style="display:flex;"><span><span style="color:#66d9ef">package</span> <span style="color:#a6e22e">mypackage</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># set of violations — empty set means compliant</span> </span></span><span style="display:flex;"><span>violations <span style="color:#66d9ef">contains</span> <span style="color:#a6e22e">msg</span> <span style="color:#66d9ef">if</span> { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">input</span><span style="color:#f92672">.</span><span style="color:#a6e22e">containers</span>[<span style="color:#a6e22e">_</span>]<span style="color:#f92672">.</span><span style="color:#a6e22e">image</span> <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;latest&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">msg</span> <span style="color:#f92672">:=</span> <span style="color:#e6db74">&#34;image tag must not be latest&#34;</span> </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># all images</span> </span></span><span style="display:flex;"><span>images <span style="color:#f92672">:=</span> {<span style="color:#a6e22e">img</span> <span style="color:#f92672">|</span> <span style="color:#a6e22e">img</span> <span style="color:#f92672">:=</span> <span style="color:#a6e22e">input</span><span style="color:#f92672">.</span><span style="color:#a6e22e">containers</span>[<span style="color:#a6e22e">_</span>]<span style="color:#f92672">.</span><span style="color:#a6e22e">image</span>} </span></span></code></pre></div><h3 id="iteration">Iteration </h3><p>Rego iterates implicitly. <code>input.containers[_]</code> means &ldquo;for any element in containers&rdquo;. Use <code>[i]</code> if you need the index.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-rego" data-lang="rego"><span style="display:flex;"><span><span style="color:#75715e"># any container missing a CPU limit is a violation</span> </span></span><span style="display:flex;"><span>violations <span style="color:#66d9ef">contains</span> <span style="color:#a6e22e">msg</span> <span style="color:#66d9ef">if</span> { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">container</span> <span style="color:#f92672">:=</span> <span style="color:#a6e22e">input</span><span style="color:#f92672">.</span><span style="color:#a6e22e">containers</span>[<span style="color:#a6e22e">_</span>] </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">not</span> <span style="color:#a6e22e">container</span><span style="color:#f92672">.</span><span style="color:#a6e22e">resources</span><span style="color:#f92672">.</span><span style="color:#a6e22e">limits</span><span style="color:#f92672">.</span><span style="color:#a6e22e">cpu</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">msg</span> <span style="color:#f92672">:=</span> <span style="color:#a6e22e">sprintf</span>(<span style="color:#e6db74">&#34;container %v has no CPU limit&#34;</span><span style="color:#f92672">,</span> [<span style="color:#a6e22e">container</span><span style="color:#f92672">.</span><span style="color:#a6e22e">name</span>]) </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h3 id="testing">Testing </h3><p>OPA has a built-in test runner. Test files are Rego files with rules prefixed <code>test_</code>.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-rego" data-lang="rego"><span style="display:flex;"><span><span style="color:#66d9ef">package</span> <span style="color:#a6e22e">mypackage_test</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">import</span> <span style="color:#a6e22e">data</span><span style="color:#f92672">.</span><span style="color:#a6e22e">mypackage</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>test_allow_admin <span style="color:#66d9ef">if</span> { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mypackage</span><span style="color:#f92672">.</span><span style="color:#a6e22e">allow</span> <span style="color:#66d9ef">with</span> <span style="color:#a6e22e">input</span> <span style="color:#66d9ef">as</span> {<span style="color:#e6db74">&#34;user&#34;</span>: <span style="color:#e6db74">&#34;admin&#34;</span><span style="color:#f92672">,</span> <span style="color:#e6db74">&#34;action&#34;</span>: <span style="color:#e6db74">&#34;read&#34;</span>} </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>test_deny_non_admin <span style="color:#66d9ef">if</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">not</span> <span style="color:#a6e22e">mypackage</span><span style="color:#f92672">.</span><span style="color:#a6e22e">allow</span> <span style="color:#66d9ef">with</span> <span style="color:#a6e22e">input</span> <span style="color:#66d9ef">as</span> {<span style="color:#e6db74">&#34;user&#34;</span>: <span style="color:#e6db74">&#34;bob&#34;</span><span style="color:#f92672">,</span> <span style="color:#e6db74">&#34;action&#34;</span>: <span style="color:#e6db74">&#34;read&#34;</span>} </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>opa test ./ </span></span><span style="display:flex;"><span><span style="color:#75715e"># PASS: 2/2</span> </span></span></code></pre></div><h2 id="input-and-data">Input and data </h2><p>OPA separates <strong>input</strong> (the thing being evaluated — changes per request) from <strong>data</strong> (context that does not change — lookup tables, allowlists, base policy).</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># data is loaded with --data, can be JSON or Rego</span> </span></span><span style="display:flex;"><span>opa eval --data policy.rego --data allowlist.json --input request.json <span style="color:#e6db74">&#34;data.authz.allow&#34;</span> </span></span></code></pre></div><h2 id="opa-as-a-server">OPA as a server </h2><p>OPA can run as a sidecar or standalone HTTP server. POST JSON to <code>/v1/data/&lt;package&gt;/&lt;rule&gt;</code> to get a decision.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>opa run --server --addr :8181 policy.rego </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>curl -X POST http://localhost:8181/v1/data/mypackage/allow <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;input&#34;: {&#34;user&#34;: &#34;admin&#34;, &#34;action&#34;: &#34;read&#34;}}&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># {&#34;result&#34;: true}</span> </span></span></code></pre></div><p>This is how Gatekeeper and Conftest use OPA under the hood.</p> <h2 id="rego-playground">Rego playground </h2><p>The <a class="link" href="https://play.openpolicyagent.org/" target="_blank" rel="noopener" >Rego Playground</a> is the fastest way to experiment without installing anything. Paste a policy and input, evaluate, iterate.</p> <h2 id="resources">Resources </h2><ul> <li><a class="link" href="https://www.openpolicyagent.org/docs/latest/" target="_blank" rel="noopener" >OPA documentation</a></li> <li><a class="link" href="https://play.openpolicyagent.org/" target="_blank" rel="noopener" >Rego Playground</a></li> <li><a class="link" href="https://www.openpolicyagent.org/docs/latest/policy-cheatsheet/" target="_blank" rel="noopener" >Rego cheat sheet</a></li> <li><a class="link" href="https://github.com/open-policy-agent/opa" target="_blank" rel="noopener" >OPA GitHub</a></li> <li><a class="link" href="https://academy.styra.com/" target="_blank" rel="noopener" >Styra Academy</a> — free Rego courses (Styra built OPA)</li> </ul>