Technology Radar TemplateTechnology Radar Template

Open Policy Agent

securityarchitecture
Assess

We have been transitioning away from using Open Policy Agent at AOE. For alternative solutions, please refer to Policy as Code.

Assess

Open Policy Agent (OPA) is a framework which allows modelling and evaluating policy access services. The underlying expression language Rego is purpose-built for the policy evaluations and implements the Policy As Code pattern.

This allows to decouple policy from the service's code, so you can release, and review policies separately.

The benefits of using OPA and Rego comes from the various available integrations into other cloud-native services and tools. It can be used with the "Kubernetes Admission Controller", to authorize decisions within a Service Mesh or as part of infrastructure evaluation pipelines.

We use OPA in some of our infrastructure pipelines to ensure that changes don't have undesired impact or within Kubernetes to evaluate the overall conformity of our deployments with the given policies.

We have also evaluated OPA as part of permission management in distributed architectures. The concept promises to provide value especially for distributed enterprise architectures.