What OPA is: decoupled policy
One engine for all your rules.
Open Policy Agent (OPA) is a general-purpose policy engine. The idea is decoupled policy: instead of scattering authorization and validation logic through your application code, config, and pipelines, you write the rules once in a dedicated policy language and ask OPA for decisions. Anything that can produce JSON and act on a yes/no (or richer) answer can offload its policy to OPA — microservices, Kubernetes admission, CI pipelines, Terraform plans, API gateways.
The model is simple and uniform: OPA takes input (the JSON describing what you are asking about — a request, a resource, a plan) plus optional data (external facts like a list of allowed registries), evaluates your policy, and returns a decision. It does not know or care what the input represents; it just evaluates rules over JSON. That generality is why one engine and one language can govern such different systems.
Why decouple policy
Centralizing policy has concrete benefits: rules live in one place, version-controlled and code-reviewed; they are testable in isolation; and they are consistent across services that would otherwise each reimplement “no public buckets” slightly differently. It also separates who writes policy (often security/platform) from who writes the app, without forcing a redeploy of the app to change a rule. Policy-as-code is to guardrails what IaC is to infrastructure.