open-policy-agent/opa is an Open Source general purpose policy agent.
OPA gives you a high-level declarative language to author and enforce policies across your stack.
With OPA, you define rules that govern how your system should behave. These rules exist to answer questions like:
- Can user X call operation Y on resource Z?
- What clusters should workload W be deployed to?
- What tags must be set on resource R before it’s created?
You integrate services with OPA so that these kinds of policy decisions do not have to be hardcoded in your service. Services integrate with OPA by executing queries when policy decisions are needed.
When you query OPA for a policy decision, OPA evaluates the rules and data (which you give it) to produce an answer. The policy decision is sent back as the result of the query.