Skip to content

Policy Engines — Trivia & Interesting Facts

Surprising, historical, and little-known facts about policy engines.

Open Policy Agent (OPA) was created to solve Kubernetes admission control

OPA was created by Torin Sandall and Tim Hinrichs at Styra in 2016. While OPA is general-purpose, its breakout use case was Kubernetes admission control — intercepting API requests and enforcing policies like "all containers must have resource limits" or "no pods may run as root." This use case drove OPA's rapid adoption.

Rego was designed by a programming language PhD, and it shows

OPA's policy language, Rego, was designed by Tim Hinrichs, who has a PhD in programming languages. Rego is a declarative, logic-programming language inspired by Datalog. This academic heritage makes it powerful but also gives it a steep learning curve — Rego is consistently cited as the biggest barrier to OPA adoption.

Gatekeeper makes OPA accessible to Kubernetes operators

Gatekeeper, an OPA-based admission controller for Kubernetes, was created because raw OPA was too complex for most Kubernetes operators. Gatekeeper introduced ConstraintTemplates (reusable policy templates) and Constraints (instances of those templates), making it possible to enforce policies without writing Rego from scratch.

Kyverno was created specifically because Rego was too hard

Nirmata created Kyverno in 2019 as a Kubernetes-native policy engine that uses YAML — the language Kubernetes operators already know — instead of Rego. Kyverno's design philosophy was that policies should be as easy to write as Kubernetes manifests. This accessibility-first approach made Kyverno the fastest-growing alternative to OPA/Gatekeeper.

OPA graduated from the CNCF in February 2021

OPA was one of the fastest CNCF projects to reach Graduated status, achieving it in February 2021. This milestone meant the CNCF considered OPA production-ready and widely adopted. At the time of graduation, OPA was used by dozens of organizations including Netflix, Pinterest, Goldman Sachs, and the U.S. Air Force.

Policy engines prevent misconfigurations that cause 70% of cloud breaches

According to multiple cloud security reports, approximately 70% of cloud security breaches involve misconfigurations — open S3 buckets, overly permissive IAM policies, unencrypted databases. Policy engines that enforce configuration standards at the API level can prevent these misconfigurations before they reach production.

Cedar is Amazon's policy language, and it's formally verified

Amazon created Cedar, a policy language used internally across AWS services (including Amazon Verified Permissions), and open-sourced it in 2023. Uniquely, Cedar is backed by automated formal verification — Amazon uses mathematical proofs to guarantee that the policy engine correctly evaluates all policies, eliminating the possibility of evaluation bugs.

Policy-as-code enables "shift left" for security and compliance

The shift from manually reviewed security checklists to automated policy engines represents the "shift left" movement in security. By evaluating policies in CI/CD pipelines (before deployment), policy engines catch violations when they're cheapest to fix — at the pull request stage rather than in production.

Sentinel was HashiCorp's proprietary policy language, and the community resented it

HashiCorp created Sentinel as a policy-as-code language for Terraform Enterprise and Vault Enterprise. Because Sentinel was proprietary and only available in paid products, the community felt locked in. This frustration contributed to OPA's adoption for Terraform policy enforcement and was one of many grievances that fueled the OpenTofu fork.

The "deny by default" vs. "allow by default" debate is fundamental

Policy engines force a philosophical choice: should everything be allowed unless explicitly denied, or denied unless explicitly allowed? Security-focused teams prefer "deny by default" (safest but friction-heavy), while developer-focused teams prefer "allow by default" (fast but risky). Most organizations start with "allow by default" and slowly tighten policies after incidents force their hand.