Policies as Code using Open Policy Agent (OPA) and the Rego language.
.
├── policies/ # Rego policies organized by domain
│ ├── authz/ # General authorization policies
│ │ ├── allow.rego
│ │ └── allow_test.rego
│ ├── kubernetes/ # Kubernetes admission control
│ │ └── admission/
│ │ ├── deny.rego
│ │ └── deny_test.rego
│ ├── terraform/ # Infrastructure-as-Code checks
│ │ ├── checks.rego
│ │ └── checks_test.rego
│ └── rbac/ # Role-Based Access Control
│ └── rbac.rego
├── data/ # Static data and test fixtures
│ └── fixtures/
│ ├── authz/
│ └── kubernetes/
├── bundles/ # Compiled OPA bundles (git-ignored)
├── scripts/ # Helper scripts
│ ├── test.sh
│ └── build.sh
├── .github/workflows/ # CI/CD pipelines
│ └── policy-tests.yaml
├── Makefile
├── opa-config.yaml # OPA server configuration
└── .gitignore
make testmake fmt # format in-place
make fmt-check # check without modifyingmake buildmake lint| Domain | Path | Description |
|---|---|---|
| Authorization | policies/authz/ |
Role-permission based access control |
| Kubernetes | policies/kubernetes/ |
Admission webhook policies |
| Terraform | policies/terraform/ |
IaC compliance checks |
| RBAC | policies/rbac/ |
Fine-grained RBAC model |
Each policy file should:
- Declare a package at the top:
package <domain>.<subpackage> - Use
import rego.v1for the latest Rego syntax - Have a corresponding
_test.regofile with unit tests - Follow OPA naming conventions (
deny,allow,violation)
The GitHub Actions workflow (.github/workflows/policy-tests.yaml) automatically:
- Runs all policy tests on every push and pull request
- Checks Rego formatting
- Builds and uploads bundles on merges to
main