Open Policy Agent (OPA)
General-purpose policy engine with Rego: unify authorization and config decisions across K8s, APIs, Terraform plans, and CI.
Why it is included
CNCF graduated; backbone of admission control (Gatekeeper) and many guardrail patterns.
Best for
Platform engineering enforcing guardrails as code.
Strengths
- Rego
- Bundles
- Sidecar and library modes
Limitations
- Policy authoring learning curve
Good alternatives
Kyverno (K8s-native YAML) · Cedar (AWS)
Related tools
Security & Privacy
Kyverno
Kubernetes-native policy engine using YAML (no Rego) for validate, mutate, generate, and image verification rules.
Security & Privacy
Terrascan
IaC scanner detecting security issues across Terraform, Kubernetes, Helm, Docker, and cloud APIs via OPA/Rego policies.
Security & Privacy
Falco
Cloud-native runtime security for Linux/Kubernetes: syscall and K8s audit rules with Falcoctl and ecosystem outputs.
Security & Privacy
Kubescape
Kubernetes security scanner for misconfigurations, RBAC, compliance frameworks (NSA/CIS), and image vulnerabilities.
Security & Privacy
Inspektor Gadget
CNCF eBPF-based observability for Kubernetes: gadgets for tracing DNS, TCP, exec, and security events from kubectl.
Security & Privacy
kube-bench
CIS Kubernetes benchmark checker: run checks against nodes, control plane, etcd, and policies with readable reports.