Skip to main content
Version: 1.14

Introduction to Open Policy Agent


Open Policy Agent support has been introduced starting from these releases:

  • kwctl: v0.2.0
  • policy-server: v0.2.0

Open Policy Agent (OPA) is a general purpose policy framework that uses the Rego language to write policies.


Rego policies work by receiving an input to evaluate, and produce an output as a response. In this sense, OPA has no specific tooling for targeting writing policies for Kubernetes.

Specifically, policies in OPA receive a JSON input and produce a JSON output. The OPA server is configured to receive admission review requests from Kubernetes. The policies receive a Kubernetes AdmissionReview object in JSON format. They have to return a valid AdmissionReview object as the evaluation results.

Compatibility with existing policies

All policies can be compiled to the wasm target (WebAssembly) with the official opa CLI tool.

In terms of policy execution, you can read more about the OPA built-in support implemented in Kubewarden.