One policy engine for your whole stack — define policy as code in Rego and ask OPA for decisions anywhere.

Welcome to Open Policy Agent: General-Purpose Policy as Code.

Open Policy Agent (OPA) is a general-purpose policy engine that decouples policy decisions from the systems that enforce them: you define policy as code in Rego, and any system — Kubernetes, microservices, APIs, CI/CD — can ask OPA for a decision. This free book teaches it from the ground up: the policy-as-code decoupling model (PDP/PEP), the Rego language and writing policies in it, Rego in depth (iteration, comprehensions, built-ins, rich decisions), how OPA runs and integrates (daemon/REST, embedded/Wasm), OPA and Kubernetes via Gatekeeper (and how it compares to Kyverno), using OPA beyond Kubernetes for application/API and microservice authorization, testing policies and distributing them with bundles, performance and decision logging, and operating OPA in production. Ten focused chapters with real Rego and clear diagrams that show how to govern many systems with one consistent, code-based approach.

This title is part of the ShriIra library and is free to read in full, right here — our small contribution to making world-class knowledge easy to reach.

A note on reading it: open the Contents menu at the top of the reader to jump between chapters, use the Aa menu to set a comfortable text size, theme (light, sepia, or night), and single- or two-page layout. Your place is saved automatically, so you can always pick up where you left off.

We hope it serves you well.

— Shriira Press

Contents

1. Chapter 1 — What OPA Is
2. Chapter 2 — Policy as Code and the Decoupling Model
3. Chapter 3 — The Rego Language
4. Chapter 4 — Rego in Depth
5. Chapter 5 — How OPA Runs and Integrates
6. Chapter 6 — OPA and Kubernetes (Gatekeeper)
7. Chapter 7 — OPA Beyond Kubernetes
8. Chapter 8 — Testing and Managing Policies
9. Chapter 9 — Performance, Observability, and Ecosystem
10. Chapter 10 — Operating OPA and Putting It Together