Open Policy Agent (OPA)

Deploy OPA Gatekeeper to the K8s cluster.

Write a Rego policy that checks 'input.review.object.spec.containers' for 'runAsNonRoot'.

Apply the ConstraintTemplate and Constraint CRDs to the cluster.

Attempt to deploy a non-compliant pod; Gatekeeper blocks the request at the API server.

Deploy OPA as a sidecar alongside each microservice container.

On every incoming HTTP request, the service sends the JWT and path to OPA.

OPA evaluates the 'allow' rule based on user roles and environmental data.

The service blocks 403 Forbidden if OPA returns 'false'.

Run 'terraform plan -out=tfplan.binary'.

Convert the plan to JSON: 'terraform show -json tfplan.binary > tfplan.json'.

Run 'opa exec' against the JSON plan using a library of cloud security Rego policies.

Fail the CI/CD build if the policy finds unencrypted S3 buckets or open SSH ports.

Configure Envoy's external_authz filter to point to an OPA instance.

Define policies in Rego to handle complex logic like 'only allow users from IP range X'.

Envoy pauses the request, queries OPA, and either proceeds or terminates based on the response.

Application fetches raw data from the database.

App sends the data and user context to OPA.

OPA returns a modified JSON object with sensitive fields (e.g., SSN) replaced by '***'.

The application serves the masked data to the end-user.

Install the OPA-PAM plugin on Linux servers.

Define access policies in OPA based on LDAP/AD groups.

When a user attempts to SSH, PAM queries OPA for an allow/deny decision.

Access is granted or logged and denied instantly across the fleet.

Use the OPA-Kafka plugin to intercept client requests.

Policy checks if the principal is authorized for the specific topic name and operation.

OPA provides real-time authorization at the broker level.