1. Home
  2. /
  3. Opa-rego
  4. /
  5. Simple OPA Rego Policy

Simple OPA Rego Policy - Opa-rego Typing CST Test

Loading…

Simple OPA Rego Policy — Opa-rego Code

A simple Rego policy to deny creation of public S3 buckets in AWS.

# opa/demo/deny_public_s3.rego
package s3

default allow = true

allow {
	input.resource_type != "aws_s3_bucket"
}

allow {
	input.resource_type == "aws_s3_bucket"
	input.acl != "public-read"
	input.acl != "public-read-write"
}

Opa-rego Language Guide

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that allows you to define, enforce, and manage policies across cloud-native environments, applications, and infrastructure using its high-level declarative language, Rego.

Primary Use Cases

  • ▸Kubernetes admission control policies (via Gatekeeper)
  • ▸API authorization and access control
  • ▸CI/CD pipeline enforcement
  • ▸Cloud infrastructure policy compliance
  • ▸Auditing and governance across distributed systems

Notable Features

  • ▸Centralized policy engine for multiple services
  • ▸Declarative policy language (Rego) for complex rules
  • ▸REST API and SDK for real-time policy evaluation
  • ▸Integration with Kubernetes via admission controllers
  • ▸Supports auditing, logging, and metrics

Origin & Creator

Created by Styra Inc., OPA was developed to provide a unified policy framework for cloud-native environments and to enforce policies declaratively across services and infrastructure.

Industrial Note

OPA is particularly useful for DevSecOps, cloud governance, Kubernetes admission control, and API authorization, allowing teams to enforce policies consistently and avoid security or compliance drift.

Quick Explain

  • ▸OPA decouples policy decisions from the application code, enabling centralized, consistent policy enforcement.
  • ▸Policies are written in Rego, a declarative language designed to express complex rules and constraints.
  • ▸Supports evaluation of policies for Kubernetes, CI/CD pipelines, API gateways, cloud resources, and custom applications.
  • ▸OPA provides REST APIs, SDKs, and integrations for real-time policy decisions.
  • ▸Enables auditing, compliance, and governance across multi-cloud and microservices environments.

Core Features

  • ▸Policy evaluation - enforce access, validation, or compliance rules
  • ▸Rego language - declarative language for expressing rules
  • ▸Data store - JSON documents for policy input and context
  • ▸Decision logs - track policy decisions for auditing
  • ▸Integrations - SDKs, CLI, REST API, and Kubernetes Gatekeeper

Learning Path

  • ▸Learn Rego syntax and expressions
  • ▸Understand OPA architecture and decision model
  • ▸Write simple policies and evaluate with `opa eval`
  • ▸Integrate OPA with Kubernetes or CI/CD pipelines
  • ▸Implement decision logging and auditing for governance

Practical Examples

  • ▸Restrict Kubernetes namespace creation to certain teams
  • ▸Enforce image security policies in CI/CD pipelines
  • ▸Authorize API requests based on user roles and attributes
  • ▸Ensure cloud resources comply with tagging policies
  • ▸Audit configuration drift and log policy violations

Comparisons

  • ▸OPA vs native Kubernetes RBAC: OPA supports custom policies beyond RBAC
  • ▸OPA vs traditional ACLs: OPA is declarative, centralized, and auditable
  • ▸OPA vs HashiCorp Sentinel: Both are policy engines; OPA is cloud-native and more flexible
  • ▸OPA vs AppArmor/SELinux: OPA handles higher-level authorization logic, not OS-level enforcement
  • ▸OPA vs IAM policies: OPA provides fine-grained, programmable decisions across environments

Strengths

  • ▸Centralized, consistent policy enforcement across services
  • ▸Extensible and adaptable to multiple environments
  • ▸Declarative and expressive language for complex rules
  • ▸Real-time decision-making for dynamic applications
  • ▸Strong support for Kubernetes-native policy enforcement

Limitations

  • ▸Requires understanding of Rego syntax and logic
  • ▸Debugging complex policies can be challenging
  • ▸Performance can degrade with very large datasets
  • ▸Not a full CI/CD or security platform; must integrate with other tools
  • ▸Initial adoption may require culture shift in DevOps teams

When NOT to Use

  • ▸Small projects without need for centralized policies
  • ▸Environments with static, simple access control
  • ▸Applications that cannot integrate with OPA API
  • ▸Teams unfamiliar with declarative policies or Rego
  • ▸Systems where policy evaluation latency is critical and cannot tolerate sidecar/service calls

Cheat Sheet

  • ▸opa eval --data policy.rego 'data.example.allow'
  • ▸opa test ./policy
  • ▸opa run
  • ▸opa check policy.rego
  • ▸opa fmt policy.rego

FAQ

  • ▸Can OPA enforce policies outside Kubernetes? -> Yes, via REST API and SDKs.
  • ▸Is Rego mandatory? -> Yes, policies are expressed in Rego.
  • ▸Can OPA evaluate real-time decisions? -> Yes, through API queries.
  • ▸Does OPA store its own data? -> No, it evaluates input JSON passed by clients.
  • ▸Can OPA audit past decisions? -> Yes, via decision logs.

30-Day Skill Plan

  • ▸Week 1: Rego basics and simple allow/deny policies
  • ▸Week 2: Complex logical rules with loops and comprehensions
  • ▸Week 3: Integrate OPA with CI/CD pipelines
  • ▸Week 4: Kubernetes Gatekeeper policies and dry-run testing
  • ▸Week 5: Centralized governance and auditing workflows

Final Summary

  • ▸OPA is a powerful, cloud-native policy engine for centralized, declarative policy enforcement.
  • ▸Rego enables expressive, fine-grained policies for Kubernetes, APIs, and cloud resources.
  • ▸OPA integrates via sidecar, SDK, or REST API to enforce policies in real-time.
  • ▸Supports auditing, logging, and governance across multi-cloud and microservices environments.
  • ▸Ideal for DevSecOps, compliance, and multi-environment policy management.

Project Structure

  • ▸Policies directory with `.rego` files
  • ▸Data directory with `.json` files for inputs
  • ▸Bundles for versioned policy distribution
  • ▸Configuration files for OPA server settings
  • ▸Decision log files or endpoints for auditing

Monetization

  • ▸OPA consulting and governance services
  • ▸Managed OPA hosting
  • ▸Enterprise compliance and policy audits
  • ▸Training and workshops for Rego and OPA
  • ▸Monitoring and analytics solutions for policy enforcement

Productivity Tips

  • ▸Organize policies by domain and environment
  • ▸Use reusable policy modules
  • ▸Test policies with representative input data
  • ▸Enable logging for all decisions
  • ▸Automate policy deployment with bundles

Basic Concepts

  • ▸Policy - declarative rules written in Rego
  • ▸Data - JSON input evaluated by policies
  • ▸Decision - result of policy evaluation (allow, deny, custom)
  • ▸Bundle - package of policies and data for distribution
  • ▸Gatekeeper - Kubernetes integration for admission control

Official Docs

  • ▸OPA official documentation
  • ▸Rego language reference
  • ▸Gatekeeper Kubernetes integration guide
  • ▸Policy bundles documentation

Practice Other Languages

CReactPythonC++RustTypeScriptKotlinPHPJavaC#RubyMqlCqlN1qlCypher