Interview › Security & DevSecOps
What is OPA, and what is the Rego language used for? [Intermediate]
Answer
OPA, the Open Policy Agent, is a general-purpose policy engine. Rego is OPA's policy language, used to express rules over structured input such as Kubernetes admission requests, Terraform plans, API authorization decisions, or CI metadata.
Technical explanation
OPA separates policy decision logic from application or platform code.
Rego evaluates input JSON and data documents to return decisions such as allow, deny, or violations.
OPA can run in CI, as a sidecar, as an admission controller, or as part of an authorization service.
Hands-on example
Simple Rego pattern:
package kubernetes.admission
deny[msg] {
input.request.kind.kind == "Pod"
container := input.request.object.spec.containers[_]
container.securityContext.privileged == true
msg := "Privileged containers are not allowed"
}
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]