opa

Open Policy Agent, usually called OPA, is an open source tool that lets software teams define and enforce rules about what is and is not allowed in their systems. Instead of baking those rules into the application code itself, you write them separately in a language called Rego, and any service can ask OPA for a decision whenever it needs one.

The way it works is straightforward: your application sends a question to OPA, such as whether a particular user can access a particular resource, and OPA checks the rules you have written and sends back an answer. This keeps access and compliance logic in one place rather than scattered across many different services. When rules change, you update them in OPA rather than patching multiple applications.

OPA can be used for many kinds of policy decisions: who can call which API endpoints, which cloud resources are allowed to be created, what labels a container must have, and so on. The project provides ready-made guides for connecting OPA to systems like Kubernetes, Terraform, Docker, and SSH. Teams at Netflix, Atlassian, and many other organizations use it in production to manage authorization across their infrastructure.

Getting started is accessible: there is a browser-based playground at play.openpolicyagent.org where you can write and test Rego rules without installing anything, and a VS Code extension is available for local development with live feedback. The project is a graduated member of the Cloud Native Computing Foundation, which means it has met that body's standards for stability and production readiness.