Stack Overflow
Stack Overflow

Questions tagged [open-policy-agent]

Open Policy Agent is an open source, general-purpose policy engine that enables policy-based control across the stack. Use this tag for questions related to using OPA, the Rego Language, or any of its derivatives (such as Gatekeeper or Conftest).

The Open Policy Agent is an open source, general-purpose policy engine that unifies policy enforcement across the stack.

External Links

240 questions
13
votes
2 answers

using open policy agent (OPA) as an ABAC system

I have a project that requires ABAC for access control for my projects resources. I've been looking at OPA and authzforce as options to implement ABAC and OPA looks like it might be less complicated than authzforce. I see that OPA compares itself to…
zero
  • 2,999
  • 9
  • 42
  • 67
8
votes
2 answers

Integrate Open Policy Agent with ASP.Net Core web API

I was going through some videos and tutorials on OPA (Open Policy Agent) and found it really cool to use it for implementing Authentication and Authorization across multiple services / APIs. However I am not able to get any insights on how to…
Amit Anand
  • 957
  • 1
  • 16
  • 25
8
votes
2 answers

OR in Open Policy Agent (union behavior)

In OPA it's clear how to query against condition AND condition: values := { "value1": { "a": "one" }, "value2": { "a": "one", "b": "two" }, "value3": { "a": "one", "b": "one" } } goodValues = [name | value =…
Sergii Pogodin
  • 363
  • 3
  • 7
4
votes
0 answers

OPA web UI - Monitor and Administer policies

We are about to implement OPA in our project to make decisions based on user provided policies and facts. Is there any opensource tool available which acts an UI to transform user provided inputs into policy (in REGO language) and dataset (in JSON)?…
dvlpr
  • 311
  • 3
  • 17
4
votes
2 answers

Using OR condition in OPA rego

I want to use an OR operation to combine the following conditions: the count of my arr is not equal to 0 my email does not contain "test.com" Currently I am using the built-in function any(): any([count(arr) != 0, not contains(email,…
jrchew
  • 205
  • 2
  • 9
4
votes
1 answer

Can OPA Gatekeeper be used to audit K8s PodDisruptionBudget status fields?

We are looking to use OPA gatekeeper to audit K8s PodDisruptionBudget (PDB) objects. In particular, we are looking to audit the number of disruptionsAllowed within the status field. I believe this field will not be available at point of admission…
Howard Jones
  • 49
  • 2
4
votes
3 answers

Compare two arrays in the Rego Language

violation[{"msg": msg}] { required:= ["red", "green", "blue"] input := ["orange", "purple"] msg := sprintf("") } I want to compare each value from the input array in the required array. In other languages, two normal loops will do it.…
Xameer
  • 105
  • 2
  • 11
4
votes
1 answer

Rego testing: how to test "not deny"?

I'm exploring testing my Rego policies using opa test starting with this trivial rule: deny["Must be allowed"] { input.allowed == "no" } I'm able to successfully test this against a case where this is denied: test_denied_example { deny with…
eirikir
  • 3,802
  • 3
  • 21
  • 39
4
votes
1 answer

How can disable deploy in kubernetes

We provide kubernetes cluster for many users, the separation between applications by namespace. For deploy use kubernetes-helm. There are situations when we need to close the opportunity to deploy the app in the cluster. One option is to change…
Arslanbekov Denis
  • 1,674
  • 12
  • 26
3
votes
0 answers

Open Policy Agent (OPA) for front and back end policy evaluation

We have a business application that has a number of policy rules for which OPA seems well suited for. As a simple example: "an order can by modified from status 'X' to 'Y' iif the user is in role 'R'". We'd ideally like to evaluate some of these…
Mauricio Caro
  • 68
  • 5
3
votes
3 answers

How to validate application authorizations in a hierarchical RBAC/ABAC policy definition with Open Policy Agent?

We are building a cloud based application, using C# as our main language and running on Microsoft Azure. One of the key pieces of the architecture is to have fine grained authorization rights implemented for business logic in the application. Open…
Sam Vanhoutte
  • 3,247
  • 27
  • 48
3
votes
0 answers

How to implement OPA with Django microservices?

I am starting a project where there'll be a bunch of microservices in Django. I want to implement a separate Authentication and Authorization system that all the microservices will talk to for end-user auth. So, my doubts are: What approach should…
sy_ar001
  • 339
  • 3
  • 10
3
votes
2 answers

Is there a way to have kustomize merge the content of a file into a yaml file?

I am curious to know if there is a way to do a Kustomize replacement or other operation to inject the contents of a non-yaml file into a yaml file using Kustomize. I know Kustomize is not a template engine and that this could be accomplished with…
Michael L Rhyndress
  • 105
  • 2
  • 11
3
votes
1 answer

Running simple Open Policy Agent Playground example from CLI

It's not clear to me how to run the Simple Example from the Open Policy Agent Playground from the CLI. play.rego package play default hello = false hello { m := input.message m == "world" } input.json { "message": "world" } I tried…
user284503
  • 368
  • 3
  • 11
  • 23
3
votes
1 answer

OPA/Rego execute function for each element of an array

I am new at OPA/Rego and I am trying to write a policy to check if an Azure Network Security Group contains all the rules that I define on an array package sample default compliant = false toSet(arr) = {x | x := arr[_]} checkProperty(rule, index,…
delucaezequiel
  • 483
  • 2
  • 9
  • 26
1
2 3
15 16