DEV Community

Alex Spinov
Alex Spinov

Posted on

OPA (Open Policy Agent) Has a Free API — Policy as Code for Everything

#kubernetes #security #cloudnative #devops

OPA: One Policy Engine to Rule Them All

Open Policy Agent (OPA) is a general-purpose policy engine that lets you write policy as code. Kubernetes admission control, API authorization, Terraform plan validation, CI/CD gates — all using the same language (Rego).

How OPA Works

OPA decouples policy from your application. You define policies in Rego, OPA evaluates them against structured data (JSON), and returns a decision.

The Free API

OPA exposes a REST API for policy evaluation:

# Evaluate a policy
curl -X POST http://localhost:8181/v1/data/authz/allow \
  -H "Content-Type: application/json" \
  -d "{\"input\": {\"user\": \"alice\", \"action\": \"read\"}}"
# Response: {"result": true}

# Upload a policy
curl -X PUT http://localhost:8181/v1/policies/authz \
  -H "Content-Type: text/plain" \
  --data-binary @policy.rego

# List all policies
curl http://localhost:8181/v1/policies
Enter fullscreen mode Exit fullscreen mode

Kubernetes Gatekeeper

OPA Gatekeeper enforces policies on Kubernetes:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-team-label
spec:
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["Namespace"]
  parameters:
    labels:
    - key: team
Enter fullscreen mode Exit fullscreen mode 
# Install Gatekeeper
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.16.0/deploy/gatekeeper.yaml

# Check constraint violations
kubectl get k8srequiredlabels -o yaml
Enter fullscreen mode Exit fullscreen mode

Rego Policy Examples 

package kubernetes.admission

# Deny containers running as root
deny[msg] {
  input.request.kind.kind == "Pod"
  container := input.request.object.spec.containers[_]
  container.securityContext.runAsUser == 0
  msg := sprintf("Container %v runs as root", [container.name])
}

# Require resource limits
deny[msg] {
  container := input.request.object.spec.containers[_]
  not container.resources.limits
  msg := sprintf("Container %v has no resource limits", [container.name])
}
Enter fullscreen mode Exit fullscreen mode

Real-World Use Case

A healthcare company needed HIPAA-compliant Kubernetes clusters. OPA Gatekeeper blocks containers running as root, images from untrusted registries, pods without resource limits. 100% policy compliance, zero manual review.

Quick Start 

docker run -p 8181:8181 openpolicyagent/opa run --server
curl localhost:8181/v1/data
Enter fullscreen mode Exit fullscreen mode

Resources

Need automated compliance data for your security audits? Check out my scraping tools on Apify or email spinov001@gmail.com for custom solutions.

Top comments (0)