Introduction to Open Policy Agent

Open Policy Agent support has been introduced starting from these releases:

kwctl: v0.2.0
policy-server: v0.2.0

Open Policy Agent (OPA) is a general purpose policy framework that uses the Rego language to write policies.

Introduction

Rego policies work by receiving an input to evaluate, and produce an output as a response. In this sense, OPA has no specific tooling for targeting writing policies for Kubernetes.

Specifically, policies in OPA receive a JSON input and produce a JSON output. The OPA server is configured to receive admission review requests from Kubernetes. The policies receive a Kubernetes AdmissionReview object in JSON format. They have to return a valid AdmissionReview object as the evaluation results.

Compatibility with existing policies

All policies can be compiled to the wasm target (WebAssembly) with the official opa CLI tool.

In terms of policy execution, you can read more about the OPA built-in support implemented in Kubewarden.