Tools/open-policy-agent/opa

opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

11.9kemergingGoApache License 2.0

The Lens

OPA, the Open Policy Agent, is a general-purpose policy engine: you write rules in a language called Rego, and OPA evaluates them to make yes-or-no decisions for anything that asks. Should this Kubernetes pod be allowed? Can this user call this API? Is this Terraform plan compliant? One engine, consistent policy across your whole stack. Open source and free, a graduated CNCF project.

It runs as a service or a library that your applications and infrastructure query at decision points. The power is decoupling policy from code: instead of hardcoding rules into every service, they live in Rego and OPA answers the questions. Rego takes real effort to learn, and that's the honest cost of the flexibility. Setup is easy, getting good at Rego is not.

OPA is free. Styra, founded by OPA's creators, sells Styra DAS: a commercial control plane for managing policies, distribution, and monitoring across a large environment. Solo and small teams, raw OPA, or Gatekeeper if your only use case is Kubernetes. Large orgs running policy everywhere, Styra DAS is the management layer.

The catch: Rego is the barrier. It's a declarative logic language that thinks differently from normal code, and the learning curve is steep enough that teams often stall. If your only need is Kubernetes admission control, Gatekeeper or Kyverno wrap OPA-style policy in something friendlier. Reach for raw OPA when you genuinely need one policy engine across many systems.

Free vs Self-Hosted vs Paid

free self hosted paid cloud

Self-hosted (free): OPA under Apache-2.0, a graduated CNCF project. A general-purpose policy engine: write rules in Rego, and OPA answers yes/no decisions for Kubernetes admission, API authorization, Terraform compliance, and more. Runs as a service or a library.

Styra DAS (paid): A commercial control plane from OPA's creators for managing, distributing, and monitoring policy at scale.

The call: Raw OPA for teams that need one policy engine across many systems. For Kubernetes-only needs, Gatekeeper or Kyverno are friendlier.

Free and open source (CNCF). Styra DAS, from OPA's creators, is the paid control plane.

Self-hosting ops:moderate

Get tools like this every Wednesday

One featured tool, three on the radar. No fluff.

Score
67/100 · B
Adoption27/30
Maintenance10/25
Community5/20
License15/15
Analysis10/10

About

Owner
Open Policy Agent (Organization)
Stars
11,929
Forks
1,601

Explore Further

More tools in the directory