AccueilGlossaire › OPA (Open Policy Agent)

OPA (Open Policy Agent)

Sécurité

Engine de policy-as-code unifié pour autorisation, admission, et compliance.

OPA (Open Policy Agent) est un engine open source de policy-as-code (CNCF graduated 2021) pour exprimer et évaluer policies en langage déclaratif **Rego**. Use cases : Kubernetes admission control, microservices authorization, infrastructure-as-code validation, API authorization, CI/CD policy checks, data filtering. "Policy decision" decoupled from "policy enforcement".

Architecture : (1) **OPA engine** — daemon evaluating policies ; (2) **Rego language** — Datalog-inspired, queries write JSON ; (3) **Policies as code** — stored in Git, versioned, testable ; (4) **Decision API** — clients query "can user X do Y on resource Z?", OPA returns allow/deny + reasons.

Exemple Rego policy :
```rego
package authz

default allow := false

allow if {
input.user.role == "admin"
}

allow if {
input.method == "GET"
input.resource.owner == input.user.id
}
```

Use cases majeurs :

(1) **Kubernetes admission control** via **Gatekeeper** (OPA + K8s integration, CNCF) — block pods running as root, require labels, enforce resource limits, prevent privileged containers, restrict images to trusted registries. Replaces older PSPs (Pod Security Policies, deprecated).

(2) **Microservices authorization** — service queries OPA pour authz decisions instead of hardcoded logic. Centralized policy, app code clean.

(3) **API Gateway authorization** — Envoy, Kong, Traefik integrate OPA pour fine-grained API access.

(4) **Terraform / IaC compliance** — **Conftest** (OPA wrapper) validates Terraform/Kubernetes/Dockerfile/JSON configs against policies pre-deployment. "No public S3 buckets", "all resources tagged", "no security groups with 0.0.0.0/0".

(5) **CI/CD pipeline gates** — OPA evaluates whether deployment should proceed.

(6) **Data filtering** — partial evaluation supports complex authorization (RLS — Row Level Security).

Deployment :
- **Sidecar pattern** — OPA runs alongside service, low latency local queries.
- **Centralized** OPA service.
- **Bundle server** distributes policies to OPA instances.
- **Decision logs** ship audit trail.

Écosystème :
- **Styra DAS** (Declarative Authorization Service) — commercial OPA management platform from OPA creators.
- **Gatekeeper** — Kubernetes integration.
- **Conftest** — config testing.
- **OPAL** — real-time policy updates.
- **Cedar** (AWS, separate but similar concept) — alternative policy language.

Vs traditional RBAC : OPA permits much richer policies (ABAC-style with arbitrary conditions, time-based, location-based, custom logic). Compétences CKA, CKS, SC-300.

Certifications qui couvrent ce concept
CKA CKS SC-300 AZ-500
Termes liés
Cedar (AWS Policy Language) ABAC (Attribute-Based Access Control) RBAC (Role-Based Access Control) IAM (Identity and Access Management)

Préparez vos certifications IT gratuitement

200+ certifications, 400 000+ questions, examens blancs chronométrés.

Voir le catalogue →
← Retour au glossaire