Open Policy Agent
Note well: Open Policy Agent support has been introduced starting from these releases:
- kwctl: v0.2.0
- policy-server: v0.2.0
Open Policy Agent is a general purpose policy framework that uses the Rego language to write policies.
Rego policies work by receiving an input to evaluate, and produce an output as a response. In this sense, Open Policy Agent has no specific tooling for targeting writing policies for Kubernetes.
Specifically, policies in Open Policy Agent receive a JSON input and
produce a JSON output. When the Open Policy Agent server is set up to
receive admission review requests from Kubernetes, policies will
receive a Kubernetes
AdmissionReview object in JSON format with the
object to evaluate, and they have to produce a valid
object in return with the evaluation results.
Compatibility with existing policies
All policies can be compiled to the
wasm target (WebAssembly) with
opa CLI tool.
In terms of policy execution, you can read more about the Open Policy Agent built-in support that is implemented in Kubewarden.