OPA Architecture and Deployment Modes

📖 Introduction

Before I deployed OPA to a real cluster, I needed to understand how it actually works at runtime. The documentation makes the policy language clear, but the deployment model takes some thought. OPA can run as a server, a sidecar, an embedded library, or a CLI tool — and choosing the right mode shapes how you integrate it.

This article covers the internal architecture of OPA and the four ways to deploy it, so the Kubernetes-specific setup in the next article makes sense.

🏗️ OPA Internal Architecture

At its core, OPA is a evaluation engine:

1. Policies (Rego files) are compiled into a query plan

2. At query time, OPA loads input and data, then executes the plan

3. The result is returned as JSON

The Data Store

OPA maintains an in-memory document store for the data document. You populate it by:

• Loading JSON/YAML files at startup (opa run -d data.json)

• Pushing data via the REST API (PUT /v1/data/...)

• Loading a bundle (covered in Article 06)

Policy Compilation

When OPA loads a .rego file, it compiles it immediately. Compilation validates syntax, resolves imports, and optimizes the policy into an internal representation. This means policy errors are caught at load time, not evaluation time.

🔌 Deployment Modes

OPA can be deployed in four ways. Each suits different integration patterns.

Mode 1: CLI (Local Evaluation)

Use this for:

• Local development and testing

• CI/CD pipeline policy gates

• One-shot policy checks in scripts

No server needed. OPA loads policies and input, evaluates, exits.

Mode 2: REPL (Interactive)

Use this for:

• Exploring and debugging policies

• Learning Rego interactively

• Testing edge cases before writing unit tests

Mode 3: OPA Server (REST API)

OPA starts an HTTP server. Any system can query it over REST:

This is how Kubernetes Gatekeeper and many sidecar deployments work under the hood.

Key API endpoints:

Mode 4: Go Library (Embedded)

For Go applications, OPA can be embedded directly:

The compiled query is safe to cache and share across goroutines — OPA evaluates each call independently from the cached plan.

Use this when:

• You're writing a Go service that needs policy decisions inline

• Network latency to an OPA server is unacceptable

• You want zero external dependencies at runtime

🔄 Sidecar vs Centralized Deployment

When using OPA as a server (Mode 3), you have two topology choices:

For Kubernetes admission control, OPA runs as a Deployment with replicas — not a true sidecar, but centralized within the cluster.

🔒 OPA Server Security Considerations

By default, OPA's REST API has no authentication. For any real deployment:

OPA also supports mTLS, OIDC token verification, and custom authentication plugins.

📡 How OPA Gets Policies and Data

Three patterns for keeping OPA's policies and data current:

1. Static Load at Startup

Policies are loaded once. Requires restart to update. Fine for development, limiting for production.

2. REST API Push

Fine-grained control, but you manage the push mechanism.

3. Bundles (Recommended for Production)

OPA periodically pulls a bundle — a compressed archive of policies and data — from a bundle server. This is the standard production pattern.

Bundles are covered in depth in Article 06.

📊 OPA Decision Logging

In production, you want to know what decisions OPA is making. OPA supports decision logging — every evaluation can be sent to a remote endpoint:

Each log entry includes the input, the decision, the policy that matched, and timing information. This is critical for auditing and debugging policy behavior in production.

🧭 What's Next

Now that you understand how OPA runs, the next article puts it in Kubernetes using OPA Gatekeeper — the standard way to use OPA as an admission controller.

Next: Article 04 — OPA Gatekeeper on Kubernetes

📎 References

• OPA Deployment Documentation

• OPA REST API Reference

• OPA Configuration Reference

• OPA Decision Logs