• Can user X do operation Y on resource Z?
• What invariants does workload W violate?
• Which records should bob be allowed to see?
• Language features
• 150+ built-in functions: JWTs, date/time, CIDR math ,etc.
• Context-aware policies (e.g., Kubernetes, AD, entitlements, etc.)
• Composition & delegation
• Performance optimizations (Rule Indexing, Partial Evaluation, etc.)

Declarative Policy Language (Rego)

OPA: General-purpose Policy Engine

OPA

Policy�(Rego)

Data�(JSON)

Event

Policy Decision�(ANY JSON value)

Policy Query�(ANY JSON value)

ANY

Software

Tooling to build, test, and debug policy

Library (Go), sidecar/host-level daemon, WebAssembly

• Policy and data are cached locally (in-memory, disk)
• Zero decision-time dependencies

Management APIs for control & observability

• Bundle service API for sending policy & data to OPA
• Status service API for receiving status from OPA
• Log service API for receiving audit log from OPA
• Discovery API for dynamic policy discovery & distribution
• Support for 3rdparty APIs: Prometheus, OpenTelemetry, etc.

• opa run, opa test, opa fmt, opa deps, opa check, etc.
• IDE extensions (VS Code & IntelliJ), Tracing, Profiling, etc.
• play.openpolicyagent.org - interactive evaluation, examples, etc

openpolicyagent.org

Project Roadmap

Issues labelled good first issue or help-wanted are good candidates for first contribution.

Performance

Language

Distribution

Tooling

Runtime

openpolicyagent.org

Project Roadmap

Issues labelled good first issue or help-wanted are good candidates for first contribution.

Performance

Language

Distribution

Tooling

Runtime

openpolicyagent.org

Project Roadmap

Issues labelled good first issue or help-wanted are good candidates for first contribution.

See issue #845 for integration ideas.

openpolicyagent.org