Performance, safety & the landscape

Fast, safe Rego; Sentinel & Kyverno.

Advanced12 min · lesson 11 of 12

Policy sits in hot paths — every admission, every request — so Rego performance matters. The main lever is avoiding accidental O(n²) evaluation: nested iteration over large collections, or rules that re-derive expensive intermediate results. Rego is optimized for the common cases, and OPA can report how a query evaluates. Use indexed lookups (comparing against a set/object key rather than iterating a list) and precompute shared values in helper rules.

terminal
$ opa eval -d policy.rego -i input.json --profile 'data.main.deny'
+----------+----------+----------+
| TIME | NUM EVAL | LOCATION |
+----------+----------+----------+
| 1.2ms | 340 | line 12 | <- hot spot: a nested iteration to optimize
$ opa eval --partial ... # partial evaluation can pre-compute policy for a data set

The policy-engine landscape

OPA/Rego is general-purpose, but it is not the only option, and knowing the landscape helps you choose. Kyverno does Kubernetes policy in YAML (no new language) and is popular for admission when you do not need Rego’s generality. HashiCorp Sentinel is Terraform Cloud/Enterprise’s built-in policy language. Cloud-native scanners (Checkov, the next course) ship prewritten rules. OPA wins when you want one engine across many systems and full programmability; the others trade generality for simplicity in their niche.

When OPA vs the alternatives
reach for OPA/Rego
many systems, one engine
k8s + CI + services + APIs
complex, programmable logic
full language
reach for the niche tool
Kyverno
k8s admission in YAML
Sentinel
Terraform Cloud/Enterprise
Checkov / KICS
prewritten IaC scans
OPA for breadth and programmability; the niche tools when their single-domain simplicity is enough.
A slow policy is an availability risk in the hot path
When OPA gates admission or every request, a pathologically slow policy adds latency to (or times out) real operations — a policy bug becomes an outage. Profile policies that run in hot paths, avoid unbounded nested iteration over large data, load large facts as indexed data rather than lists, and load-test the enforcement point. Correctness and performance are both non-negotiable when policy is inline.