Skip to content

CONCEPT Cited by 1 source

Policy bundle

Definition

A policy bundle is OPA's distribution unit: a gzipped tarball of .rego policy files + optional data.json reference data, pulled by the OPA agent from a configured remote source on a polling interval. The bundle has a manifest, may be signed, is versioned, and is the only artifact that flows from the control plane to the data plane.

From OPA's documentation:

Bundles enable OPA to download policy and data from remote HTTP servers and periodically reload them. This allows policy and data to be managed outside of OPA and treated as an external authoritative source.

Why it matters

  • Single distribution artifact. Everything the engine needs to answer policy queries — rules + reference data — ships in one tarball. No out-of-band side-loading.
  • Polling, not pushing. The engine decides when to refresh, which limits the control plane's direct influence on data-plane latency.
  • Substrate-swappable. The bundle source can be any HTTP(S) endpoint — a bundle server, object storage, an OCI registry, a CDN. Consumers depend on the bundle schema, not the transport.
  • Amenable to control-plane / data-plane separation. Author in the control plane, publish to a highly-available substrate, poll from the data plane; the control plane can fail without taking enforcement down.

Seen in

  • sources/2024-12-05-zalando-open-policy-agent-in-skipper-ingress — Zalando builds policy bundles inside application Git repos in Rego, publishes them via Styra DAS to AWS S3, and has every virtual OPA instance inside Skipper poll S3 for its per-application bundle. Bundle naming is piggybacked on Zalando's application registry: "At Zalando, every application that is deployed to production must be registered first in our application registry. For structuring policies, we piggyback on this governance structure and expect application teams to have an OPA policy bundle per application which uses the application id in its name." Direct instance of patterns/s3-as-policy-bundle-source-for-availability.
Last updated · 550 distilled / 1,221 read