OPA

Jan 1, 0001

Definition

OPA, or Open Policy Agent, is an open-source, general-purpose policy engine that enables unified, context-aware policy enforcement across a wide range of systems and services. It decouples policy decisions from the application logic, allowing for centralized management and dynamic policy updates without redeploying applications. OPA uses a high-level declarative language called Rego to define policies, which can be applied to various use cases such as Kubernetes admission control, API authorization, and infrastructure configuration.

Secure Settings Example

# Example of a secure OPA policy for Kubernetes admission control
package kubernetes.admission

deny[msg] {
    input.request.kind.kind == "Pod"
    input.request.operation == "CREATE"
    not input.request.object.spec.securityContext.runAsNonRoot
    msg := "Pods must run as non-root user"
}

Insecure Settings Example

# Example of an insecure OPA policy for Kubernetes admission control
package kubernetes.admission

deny[msg] {
    input.request.kind.kind == "Pod"
    input.request.operation == "CREATE"
    # Missing check for runAsNonRoot, allowing pods to run as root
    msg := "Pods must have specific labels"
}

OPA

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter