SYSTEM Cited by 2 sources
Open Policy Agent (OPA / Gatekeeper)¶
Open Policy Agent (OPA) is a CNCF-graduated general-purpose policy engine; Gatekeeper is the Kubernetes admission-controller integration built on top of it. Policies are written in Rego, a declarative logic-programming language, and evaluated against structured input (Kubernetes API requests, application requests, CI/CD metadata, …).
In the Kubernetes deployment model, Gatekeeper enforces policies on
every CREATE / UPDATE admission — the cluster API server calls
into Gatekeeper, Gatekeeper evaluates the policy set against the
incoming object + live state, and either admits or rejects. This
is patterns/policy-gate-on-provisioning in wiki terms: compliance
at manifest-submission time, shift-left from post-hoc audit.
OPA's place in the policy-engine landscape¶
OPA / Rego vs Cedar / AVP vs AWS SCPs — three different policy engines, three slightly different niches:
| Engine | Language | Primary enforcement layer | Analyzability by design? |
|---|---|---|---|
| OPA / Gatekeeper | Rego (Datalog-ish) | K8s admission; also app auth | Partial (general-purpose) |
| Cedar / AVP | Cedar | App-request time | Yes (constrained-by-design) |
| AWS SCPs | IAM policy JSON | AWS Organizations (account-wide) | Yes (SMT-proven via systems/aws-policy-interpreter) |
All three are concepts/policy-as-data instances — policies in a store separate from code, versioned, audited.
Seen in¶
- sources/2026-02-26-aws-santander-catalyst-platform-engineering — Santander Catalyst's policies catalog is "a central repository of policies ensuring compliance and security across all operations using Open Policy Agent" — the regulated-bank equivalent of ProGlove's SCP-based guardrails. Lives on the EKS control plane cluster alongside systems/crossplane (stacks catalog) and systems/argocd (data-plane claims).
- sources/2026-01-12-aws-salesforce-karpenter-migration-1000-eks-clusters — Salesforce deploys OPA policies for proactive PDB validation at admission as the cluster-wide governance layer during their 1,000-cluster Karpenter migration. Canonical wiki instance of OPA used for operational correctness (preventing misconfigured PDBs from blocking node replacement) rather than security policy — expanding the wiki's view of what OPA is useful for.
Stub page — OPA internals (Rego semantics, partial evaluation, constraint templates, Gatekeeper mutation, bundle distribution) out of scope until a future source drills into them.
Related¶
- concepts/policy-as-data — OPA's Rego policies in a central catalog are one realization of the concept
- patterns/policy-gate-on-provisioning — the admission-time enforcement pattern Gatekeeper embodies
- systems/cedar — constrained-by-design alternative for analyzable app-level authz
- concepts/service-control-policy — AWS Organizations' account-scoped guardrail layer
- systems/kubernetes — the substrate Gatekeeper plugs into