Open Policy Agent (OPA)
Enforce policy-as-code across your stack with Open Policy Agent, the CNCF policy engine. Write Rego policies for Kubernetes admission control, API authorization, Terraform validation, and CI gates — with unit tests, coverage, and OPA/Gatekeeper or Conftest integration.
OPA decouples authorization and policy decisions from application code using the Rego language. This skill helps you write and test Rego policies, enforce Kubernetes admission control with Gatekeeper, validate Terraform plans with Conftest, add fine-grained API authorization, and ship policies with unit tests and coverage.
When to use
Use to write Rego policies for Kubernetes admission control, API authorization, Terraform validation, or CI gates — including policy unit tests and Gatekeeper/Conftest setup.
Examples
Kubernetes admission policy
Enforce cluster guardrails
Write an OPA/Gatekeeper policy that blocks pods running as root or without resource limits
Validate Terraform plans
Policy checks in CI
Use OPA with Conftest to fail my CI when a Terraform plan opens a security group to 0.0.0.0/0
API authorization
Fine-grained access rules
Write a Rego policy that authorizes API requests based on user role and resource ownership, with unit tests