Open Policy Agent & Rego

January 10, 2025

In the fast-paced world of DevOps and cloud-native infrastructure, one challenge stands out: How do you ensure compliance, security, and consistency without slowing down your delivery pipelines? Enter Open Policy Agent (OPA), the Swiss Army knife of policy enforcement.

OPA, combined with its declarative language Rego, empowers teams to define, enforce, and automate policies across diverse systems—like Kubernetes, Terraform, CI/CD pipelines, and beyond. Imagine having a single source of truth for all your policies, seamlessly integrated into your workflows, preventing misconfigurations and ensuring peace of mind.

This blog is your crash course in mastering OPA and Rego. We’ll explore how OPA helps you:

Secure your Kubernetes clusters with policies for pod security and resource limits.
Validate Terraform plans to avoid missteps in your cloud infrastructure.
Automate compliance checks in CI/CD pipelines to catch issues early.

Whether you’re a DevOps engineer, a cloud architect, or just someone curious about policy-as-code, you’ll walk away equipped to integrate OPA into your workflows confidently.

Prerequisites: What You Need to Know Before You Dive In

Before we jump into the hands-on examples and advanced integrations, here’s what you’ll need to get the most out of this guide:

Basic Knowledge of Kubernetes:
- Familiarity with resources like Pods, Deployments, and ConfigMaps.
- Understanding of Kubernetes admission controllers is a plus.
Terraform Basics:
- Know how to write simple Terraform configurations.
- Understand the Terraform plan and apply workflows.
Experience with CI/CD Pipelines:
- Understanding how to create and run pipelines in tools like GitHub Actions, GitLab CI, or Jenkins.
Command-Line Comfort:
- You’ll be running commands for OPA, Terraform, and Kubernetes CLI tools.
JSON Basics:
- Policies in OPA operate on JSON inputs, so a basic understanding of JSON structure will help.

If you’ve got these fundamentals covered, you’re ready to dive into the world of OPA and Rego. Let’s turn policies into code and code into peace of mind!

Introduction to Open Policy Agent (OPA)

What is OPA?

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that enables policy-based control for various systems. OPA allows you to define policies as code and decouple policy decisions from the underlying application logic.

Key Features of OPA:

Declarative policy definition using the Rego language.
Integration with diverse systems like Kubernetes, Terraform, APIs, and microservices.
Easy-to-use APIs for querying policy decisions.
Scalable and performance-optimized.

Use Cases for OPA:

CI/CD pipeline integrations for automated policy checks.

Enforcing compliance in cloud-native environments.

Access control in microservices architectures.

Validating infrastructure-as-code configurations.

Understanding Rego: The Policy Language

What is Rego?

Rego is a purpose-built policy language for OPA. It allows you to define rules and policies declaratively. Rego operates on JSON data, making it versatile and highly expressive.

Syntax and Fundamentals:

Rules: Define conditions and outputs (allow, deny).
Data: JSON documents used as input.
Functions: Built-in functions for logic and transformation.

Writing Basic Policies:

package example

default allow = false

allow {
    input.user.role == "admin"
}

The policy above allows access only if the user’s role is admin.

OPA in Kubernetes

Enforcing Policies with Gatekeeper:

Gatekeeper is an admission controller that integrates OPA with Kubernetes. It enforces policies during resource creation by evaluating them against predefined constraints.

Common Kubernetes Policy Examples:

Restricting the use of latest tags in images.
Enforcing resource limits on pods.
Disallowing privileged containers.

Hands-on Examples for CI/CD in Kubernetes:

Write a policy to ensure all pods have readOnlyRootFilesystem enabled:

package kubernetes.admission

deny[{"msg": msg}] {
    input.kind.kind == "Pod"
    container := input.spec.containers[_]
    not container.securityContext.readOnlyRootFilesystem
    msg := "Containers must set readOnlyRootFilesystem to true"
}

Integrate this policy into CI/CD pipelines to block non-compliant manifests.

OPA with Terraform

Why Use OPA with Terraform?

Terraform configurations can lead to security and compliance issues if not properly validated. OPA can be used to scan Terraform plans and ensure adherence to organizational policies.

Writing Policies for Terraform Plans:

Example: Restricting aws_instance types:

package terraform

deny[{"msg": msg}] {
    input.resource_changes[_].type == "aws_instance"
    input.resource_changes[_].change.after.instance_type == "t2.micro"
    msg := "t2.micro is not an allowed instance type"
}

Integration in CI/CD Pipelines:

Run OPA as a pre-deployment step.
Automatically reject non-compliant Terraform plans.

Setting Up OPA for CI/CD

Integrating OPA in CI/CD Workflows:

Use tools like opa CLI or Conftest to evaluate policies.
Integrate OPA checks in Jenkins, GitHub Actions, GitLab CI, etc.

Automating Policy Enforcement in Pipelines:

Add OPA evaluation as a pipeline stage.
Fail builds if any policy violations are detected.

Example Workflows:

Kubernetes CI/CD: Validate YAML manifests with OPA.
Terraform CI/CD: Lint Terraform plans before applying them.

Best Practices for Policy Management:

Centralize policy definitions.
Version control your policies.
Regularly review and update policies.

Hands-On (Small Examples, I promise)

You can view/do short hands-on exercises around opa with k8s, terraform, and github actions here

Conclusion

OPA and Rego are powerful tools for defining and enforcing policies as code. By integrating them into Kubernetes and Terraform workflows, you can achieve robust compliance and security automation in CI/CD pipelines. Start small, experiment, and progressively expand your use of OPA to secure your infrastructure effectively.

Resources for Further Learning: