ReddRadar
Agent skill
policy-opa
Policy-as-code enforcement and compliance validation using Open Policy Agent (OPA). Use when: (1) Enforcing security and compliance policies across infrastructure and applications, (2) Validating Kubernetes admission control policies, (3) Implementing policy-as-code for compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA), (4) Testing and evaluating OPA Rego policies, (5) Integrating policy checks into CI/CD pipelines, (6) Auditing configuration drift against organizational security standards, (7) Implementing least-privilege access controls.
Install this agent skill to your Project
npx add-skill https://github.com/aiskillstore/marketplace/tree/main/skills/agentsecops/policy-opa
SKILL.md
Policy-as-Code with Open Policy Agent
Overview
This skill enables policy-as-code enforcement using Open Policy Agent (OPA) for compliance validation, security policy enforcement, and configuration auditing. OPA provides a unified framework for policy evaluation across cloud-native environments, Kubernetes, CI/CD pipelines, and infrastructure-as-code.
Use OPA to codify security requirements, compliance controls, and organizational standards as executable policies written in Rego. Automatically validate configurations, prevent misconfigurations, and maintain continuous compliance.
Quick Start
Install OPA
# macOS
brew install opa
# Linux
curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
chmod +x opa
# Verify installation
opa version
Basic Policy Evaluation
# Evaluate a policy against input data
opa eval --data policy.rego --input input.json 'data.example.allow'
# Test policies with unit tests
opa test policy.rego policy_test.rego --verbose
# Run OPA server for live policy evaluation
opa run --server --addr localhost:8181
Core Workflow
Step 1: Define Policy Requirements
Identify compliance requirements and security controls to enforce:
- Compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA, NIST)
- Kubernetes security policies (pod security, RBAC, network policies)
- Infrastructure-as-code policies (Terraform, CloudFormation)
- Application security policies (API authorization, data access)
- Organizational security standards
Step 2: Write OPA Rego Policies
Create policy files in Rego language. Use the provided templates in assets/ for common patterns:
Example: Kubernetes Pod Security Policy
package kubernetes.admission
import future.keywords.contains
import future.keywords.if
deny[msg] {
input.request.kind.kind == "Pod"
container := input.request.object.spec.containers[_]
container.securityContext.privileged == true
msg := sprintf("Privileged containers are not allowed: %v", [container.name])
}
deny[msg] {
input.request.kind.kind == "Pod"
container := input.request.object.spec.containers[_]
not container.securityContext.runAsNonRoot
msg := sprintf("Container must run as non-root: %v", [container.name])
}
Example: Compliance Control Validation (SOC2)
package compliance.soc2
import future.keywords.if
# CC6.1: Logical and physical access controls
deny[msg] {
input.kind == "Deployment"
not input.spec.template.metadata.labels["data-classification"]
msg := "SOC2 CC6.1: All deployments must have data-classification label"
}
# CC6.6: Encryption in transit
deny[msg] {
input.kind == "Service"
input.spec.type == "LoadBalancer"
not input.metadata.annotations["service.beta.kubernetes.io/aws-load-balancer-ssl-cert"]
msg := "SOC2 CC6.6: LoadBalancer services must use SSL/TLS encryption"
}
Step 3: Test Policies with Unit Tests
Write comprehensive tests for policy validation:
package kubernetes.admission_test
import data.kubernetes.admission
test_deny_privileged_container {
input := {
"request": {
"kind": {"kind": "Pod"},
"object": {
"spec": {
"containers": [{
"name": "nginx",
"securityContext": {"privileged": true}
}]
}
}
}
}
count(admission.deny) > 0
}
test_allow_unprivileged_container {
input := {
"request": {
"kind": {"kind": "Pod"},
"object": {
"spec": {
"containers": [{
"name": "nginx",
"securityContext": {"privileged": false, "runAsNonRoot": true}
}]
}
}
}
}
count(admission.deny) == 0
}
Run tests:
opa test . --verbose
Step 4: Evaluate Policies Against Configuration
Use the bundled evaluation script for policy validation:
# Evaluate single file
./scripts/evaluate_policy.py --policy policies/ --input config.yaml
# Evaluate directory of configurations
./scripts/evaluate_policy.py --policy policies/ --input configs/ --recursive
# Output results in JSON format for CI/CD integration
./scripts/evaluate_policy.py --policy policies/ --input config.yaml --format json
Or use OPA directly:
# Evaluate with formatted output
opa eval --data policies/ --input config.yaml --format pretty 'data.compliance.violations'
# Bundle evaluation for complex policies
opa eval --bundle policies.tar.gz --input config.yaml 'data'
Step 5: Integrate with CI/CD Pipelines
Add policy validation to your CI/CD workflow:
GitHub Actions Example:
- name: Validate Policies
uses: open-policy-agent/setup-opa@v2
with:
version: latest
- name: Run Policy Tests
run: opa test policies/ --verbose
- name: Evaluate Configuration
run: |
opa eval --data policies/ --input deployments/ \
--format pretty 'data.compliance.violations' > violations.json
if [ $(jq 'length' violations.json) -gt 0 ]; then
echo "Policy violations detected!"
cat violations.json
exit 1
fi
GitLab CI Example:
policy-validation:
image: openpolicyagent/opa:latest
script:
- opa test policies/ --verbose
- opa eval --data policies/ --input configs/ --format pretty 'data.compliance.violations'
artifacts:
reports:
junit: test-results.xml
Step 6: Deploy as Kubernetes Admission Controller
Enforce policies at cluster level using OPA Gatekeeper:
# Install OPA Gatekeeper
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
# Apply constraint template
kubectl apply -f assets/k8s-constraint-template.yaml
# Apply constraint
kubectl apply -f assets/k8s-constraint.yaml
# Test admission control
kubectl apply -f test-pod.yaml # Should be denied if violates policy
Step 7: Monitor Policy Compliance
Generate compliance reports using the bundled reporting script:
# Generate compliance report
./scripts/generate_report.py --policy policies/ --audit-logs audit.json --output compliance-report.html
# Export violations for SIEM integration
./scripts/generate_report.py --policy policies/ --audit-logs audit.json --format json --output violations.json
Security Considerations
- Policy Versioning: Store policies in version control with change tracking and approval workflows
- Least Privilege: Grant minimal permissions for policy evaluation - OPA should run with read-only access to configurations
- Sensitive Data: Avoid embedding secrets in policies - use external data sources or encrypted configs
- Audit Logging: Log all policy evaluations, violations, and exceptions for compliance auditing
- Policy Testing: Maintain comprehensive test coverage (>80%) for all policy rules
- Separation of Duties: Separate policy authors from policy enforcers; require peer review for policy changes
- Compliance Mapping: Map policies to specific compliance controls (SOC2 CC6.1, PCI-DSS 8.2.1) for audit traceability
Bundled Resources
Scripts (scripts/)
evaluate_policy.py- Evaluate OPA policies against configuration files with formatted outputgenerate_report.py- Generate compliance reports from policy evaluation resultstest_policies.sh- Run OPA policy unit tests with coverage reporting
References (references/)
rego-patterns.md- Common Rego patterns for security and compliance policiescompliance-frameworks.md- Policy templates mapped to SOC2, PCI-DSS, GDPR, HIPAA controlskubernetes-security.md- Kubernetes security policies and admission control patternsiac-policies.md- Infrastructure-as-code policy validation for Terraform, CloudFormation
Assets (assets/)
k8s-pod-security.rego- Kubernetes pod security policy templatek8s-constraint-template.yaml- OPA Gatekeeper constraint templatek8s-constraint.yaml- Example Gatekeeper constraint configurationsoc2-compliance.rego- SOC2 compliance controls as OPA policiespci-dss-compliance.rego- PCI-DSS requirements as OPA policiesgdpr-compliance.rego- GDPR data protection policiesterraform-security.rego- Terraform security best practices policiesci-cd-pipeline.yaml- CI/CD integration examples (GitHub Actions, GitLab CI)
Common Patterns
Pattern 1: Kubernetes Admission Control
Enforce security policies at pod creation time:
package kubernetes.admission
deny[msg] {
input.request.kind.kind == "Pod"
not input.request.object.spec.securityContext.runAsNonRoot
msg := "Pods must run as non-root user"
}
Pattern 2: Infrastructure-as-Code Validation
Validate Terraform configurations before apply:
package terraform.security
deny[msg] {
resource := input.resource_changes[_]
resource.type == "aws_s3_bucket"
not resource.change.after.server_side_encryption_configuration
msg := sprintf("S3 bucket %v must have encryption enabled", [resource.name])
}
Pattern 3: Compliance Framework Mapping
Map policies to specific compliance controls:
package compliance.soc2
# SOC2 CC6.1: Logical and physical access controls
cc6_1_violations[msg] {
input.kind == "RoleBinding"
input.roleRef.name == "cluster-admin"
msg := sprintf("SOC2 CC6.1 VIOLATION: cluster-admin binding for %v", [input.metadata.name])
}
Pattern 4: Data Classification Enforcement
Enforce data handling policies based on classification:
package data.classification
deny[msg] {
input.metadata.labels["data-classification"] == "restricted"
input.spec.template.spec.volumes[_].hostPath
msg := "Restricted data cannot use hostPath volumes"
}
Pattern 5: API Authorization Policies
Implement attribute-based access control (ABAC):
package api.authz
import future.keywords.if
allow if {
input.method == "GET"
input.path[0] == "public"
}
allow if {
input.method == "GET"
input.user.role == "admin"
}
allow if {
input.method == "POST"
input.user.role == "editor"
input.resource.owner == input.user.id
}
Integration Points
- CI/CD Pipelines: GitHub Actions, GitLab CI, Jenkins, CircleCI - validate policies before deployment
- Kubernetes: OPA Gatekeeper admission controller for runtime policy enforcement
- Terraform/IaC: Pre-deployment validation using
conftestor OPA CLI - API Gateways: Kong, Envoy, NGINX - authorize requests using OPA policies
- Monitoring/SIEM: Export policy violations to Splunk, ELK, Datadog for security monitoring
- Compliance Tools: Integrate with compliance platforms for control validation and audit trails
Troubleshooting
Issue: Policy Evaluation Returns Unexpected Results
Solution:
- Enable trace mode:
opa eval --data policy.rego --input input.json --explain full 'data.example.allow' - Validate input data structure matches policy expectations
- Check for typos in policy rules or variable names
- Use
opa fmtto format policies and catch syntax errors
Issue: Kubernetes Admission Control Not Blocking Violations
Solution:
- Verify Gatekeeper is running:
kubectl get pods -n gatekeeper-system - Check constraint status:
kubectl get constraints - Review audit logs:
kubectl logs -n gatekeeper-system -l control-plane=controller-manager - Ensure constraint template is properly defined and matches policy expectations
Issue: Policy Tests Failing
Solution:
- Run tests with verbose output:
opa test . --verbose - Check test input data matches expected format
- Verify policy package names match between policy and test files
- Use
print()statements in Rego for debugging
Issue: Performance Degradation with Large Policy Sets
Solution:
- Use policy bundles:
opa build policies/ -o bundle.tar.gz - Enable partial evaluation for complex policies
- Optimize policy rules to reduce computational complexity
- Index data for faster lookups using
input.keypatterns - Consider splitting large policy sets into separate evaluation domains
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
aiskillstore/marketplace
perigon-backend
Perigon ASP.NET Core + EF Core + Aspire conventions
aiskillstore/marketplace
perigon-agent
Pointers for Copilot/agents to apply Perigon conventions
aiskillstore/marketplace
perigon-angular
Angular 21+ standalone/Material/signal conventions for Perigon WebApp
aiskillstore/marketplace
fastapi-mastery
Comprehensive FastAPI development skill covering REST API creation, routing, request/response handling, validation, authentication, database integration, middleware, and deployment. Use when working with FastAPI projects, building APIs, implementing CRUD operations, setting up authentication/authorization, integrating databases (SQL/NoSQL), adding middleware, handling WebSockets, or deploying FastAPI applications. Triggered by requests involving .py files with FastAPI code, API endpoint creation, Pydantic models, or FastAPI-specific features.
aiskillstore/marketplace
context7-efficient
Token-efficient library documentation fetcher using Context7 MCP with 86.8% token savings through intelligent shell pipeline filtering. Fetches code examples, API references, and best practices for JavaScript, Python, Go, Rust, and other libraries. Use when users ask about library documentation, need code examples, want API usage patterns, are learning a new framework, need syntax reference, or troubleshooting with library-specific information. Triggers include questions like "Show me React hooks", "How do I use Prisma", "What's the Next.js routing syntax", or any request for library/framework documentation.
aiskillstore/marketplace
browser-use
Browser automation using Playwright MCP. Navigate websites, fill forms, click elements, take screenshots, and extract data. Use when tasks require web browsing, form submission, web scraping, UI testing, or any browser interaction.
Didn't find tool you were looking for?