Performance, safety & the landscape
Fast, safe Rego; Sentinel & Kyverno.
Policy sits in hot paths — every admission, every request — so Rego performance matters. The main lever is avoiding accidental O(n²) evaluation: nested iteration over large collections, or rules that re-derive expensive intermediate results. Rego is optimized for the common cases, and OPA can report how a query evaluates. Use indexed lookups (comparing against a set/object key rather than iterating a list) and precompute shared values in helper rules.
$ opa eval -d policy.rego -i input.json --profile 'data.main.deny'+----------+----------+----------+| TIME | NUM EVAL | LOCATION |+----------+----------+----------+| 1.2ms | 340 | line 12 | <- hot spot: a nested iteration to optimize$ opa eval --partial ... # partial evaluation can pre-compute policy for a data set
The policy-engine landscape
OPA/Rego is general-purpose, but it is not the only option, and knowing the landscape helps you choose. Kyverno does Kubernetes policy in YAML (no new language) and is popular for admission when you do not need Rego’s generality. HashiCorp Sentinel is Terraform Cloud/Enterprise’s built-in policy language. Cloud-native scanners (Checkov, the next course) ship prewritten rules. OPA wins when you want one engine across many systems and full programmability; the others trade generality for simplicity in their niche.