Skip to main content

Open Policy Containers

A Docker-inspired workflow for OPA policies

Version your policies

Tag your policies with a semantic version, just like you would a docker container

Sign your policies

Sign your policy layers using cosign, an OCIv2 container signing solution from the sigstore  project in the Linux Foundation.

Test policy versions

Run a local read-eval-print loop to test your versioned policy, by setting inputs and issuing queries.

usage video

Build, tag, push, and pull policy images

$ policy build . -t myorg/peoplefinder:1.0.0
$ policy tag myorg/peoplefinder:1.0.0 myorg/peoplefinder
$ policy push myorg/peoplefinder
$ policy pull myorg/peoplefinder

Sign layers and verify signatures

$ cosign initialize
$ cosign generate-key-pair
$ cosign sign --key cosign.key myorg/peoplefinder:1.0.0
$ cosign verify --key myorg/peoplefinder:1.0.0

Test your policy version with a read-eval-print loop

$ policy repl myorg/peoplefinder:1.0.0
> data.system.bundles
  "/Users/ogazitt/.policy/policies-root/blobs/sha256/84d...7e9": {
    "manifest": {
      "revision": "",
      "roots": [

We are a Cloud Native Computing Foundation sandbox project.

CNCF logo

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.