DEV Community

Siri Varma Vegiraju
Siri Varma Vegiraju

Posted on

Policy as code with Open Policy Agent

Policy as Code

Policy as Code is the practice of writing and managing security, compliance, and operational rules in code—just like you manage application code. It allows policies to be:

  • Automated: Integrated into CI/CD pipelines and runtime systems
  • Versioned: Stored in source control systems (e.g., Git)
  • Tested: With unit/integration tests, reducing human error
  • Audited: For traceability and accountability

This approach promotes consistency, repeatability, and scalability in enforcing rules across infrastructure, Kubernetes, APIs, IAM, and more.


Open Policy Agent (OPA)

OPA is a general-purpose policy engine that lets you enforce fine-grained policies across a wide range of systems.

  • Uses a high-level declarative language called Rego
  • Decouples policy decisions from policy enforcement
  • Can be embedded in services (e.g., microservices, Kubernetes admission controllers, CI/CD pipelines)

Common Use Cases:

  • Kubernetes Admission Control (via Gatekeeper)
  • API access authorization
  • Cloud infrastructure policies (Terraform, CI/CD)
  • Data filtering and masking

Example (OPA Rego Policy):

package httpapi.authz

allow {
  input.user == "admin"
  input.method == "DELETE"
}
Enter fullscreen mode Exit fullscreen mode

This policy allows only admin users to perform DELETE operations.


Why it Matters

OPA and Policy as Code are central to Cloud Native Security, Zero Trust Architecture, and automated compliance in modern DevSecOps environments.

Top comments (0)