OPA · Cheat sheet
OPA & Rego cheat sheet
Open Policy Agent and the Rego language, beginner to advanced: the opa CLI, Rego rules and idioms, testing, conftest for config files, bundles and the decision API, and Gatekeeper — with example output.
opa CLIBeginner
opa version
Print the OPA version.
opa run
Start an interactive Rego REPL.
opa run -s
Run OPA as a server (REST API on :8181).
opa eval -d policy.rego -i input.json "data.example.allow"
Evaluate a query against policy + input.
{"result":[{"expressions":[{"value":true,...}]}]}opa eval -f pretty -d . "data.example.deny"
Pretty output; load a whole directory.
opa fmt -w policy.rego
Auto-format Rego in place.
opa check .
Type-check every policy in a directory.
opa test . -v
Run *_test.rego unit tests.
data.example.test_allow: PASS (312µs) PASS: 5/5
opa test --coverage -f json .
Report per-line policy coverage.
Rego basicsBeginner
package example
Every file begins with a package (its namespace under data).
import rego.v1
Opt into the modern v1 keyword syntax (if/contains).
default allow := false
A safe default so undefined never means allowed.
allow if { input.method == "GET" }
A rule — true when its body holds.
deny contains msg if { ... }
Collect violation messages into a set.
input.user.role
The request document you pass in with -i.
data.example.allow
Reference a computed rule from elsewhere.
Rego languageIntermediate
some i; input.items[i].public
Introduce a variable and iterate.
every x in input.ports { x < 1024 }
Universal quantifier — all must hold.
names := [u.name | u := input.users[_]]
Comprehension — build a list.
count(input.replicas) >= 3
count/sum/max over collections.
startswith(input.image, "reg.io/")
String helpers: startswith/endswith/contains.
regex.match("^v[0-9]+$", input.tag)
Regex matching.
object.get(input, ["a","b"], "def")
Safe nested lookup with a default.
conftest (config files)Intermediate
conftest test deployment.yaml
Test a YAML/JSON/HCL file against policy/.
FAIL - deployment.yaml - main - container must set runAsNonRoot 1 test, 1 failure
conftest test -p policy/ k8s/*.yaml
Point at a specific policy directory.
conftest verify
Run the policy’s own unit tests.
conftest test --output json app.yaml
JSON results for CI parsing.
conftest test --namespace main file.yaml
Only evaluate rules in one package.
conftest push / pull ghcr.io/org/policy
Ship/fetch policy bundles as OCI artifacts.
Bundles & decision APIAdvanced
opa build -b policy/ -o bundle.tar.gz
Compile policies + data into a bundle.
opa run -s -b bundle.tar.gz
Serve a bundle over the REST API.
curl :8181/v1/data/example/allow -d @input.json
Ask the server for a decision.
{"result":true}opa eval --profile -d . "data"
Profile which rules cost the most.
Gatekeeper (K8s admission)Advanced
kubectl apply -f constrainttemplate.yaml
Register a reusable Rego policy as a CRD.
kubectl apply -f constraint.yaml
Instantiate the template with parameters.
kubectl get constraints
List active constraints and violation counts.
kubectl get constrainttemplates
List installed policy templates.
gator test -f policy/ -f resources/
Test Gatekeeper policies locally before applying.
Go deeper
Full, hands-on DevSecOps courses