Skip to main content

4 posts tagged with "opcr"

View All Tags

· 2 min read
Omri Gazitt

tl;dr: Open Policy Containers (OPCR) is now a CNCF Sandbox project, and it’s time to sunset the Open Policy Registry!


A little over a year ago, we created the OPCR project to bridge the gap between Open Policy Agent and the Open Container Initiative. We wanted to be able to build OPA policies into immutable images, which can be tagged, versioned, and signed just like any OCI image.

OPCR consisted of three initiatives:

  • policy, an open source CLI modeled after docker, that can build, tag, push, and pull policy images
  • Open Policy Registry, a container registry which could function as the “reference implementation” of a policy registry
  • Upstream work in the OPA project which allows OPA to consume policy images from any OCI-compliant registry (including the Open Policy Registry)


We’re excited to report that in December 2022, the CNCF has accepted OPCR, and specifically the policy CLI, as a Sandbox project! ✅

Back in May 2022, the OPA project accepted our contribution of (3), and now OPA can natively consume images built with the policy CLI! ✅ ✅

Finally, as more registries have added support for OCI v2 artifacts, including AWS ECR, Docker Hub, GitHub Container Registry, and Google Container Registry, we decided that maintaining a purpose-built registry for policy images is no longer necessary.

Therefore, we’re planning on retiring the Open Policy Registry (currently hosted at on January 31, 2023.

Migration plan

The domain, as well as the github opcr-io organization, will transfer to the CNCF, and will host the Open Policy Containers project (now focused entirely on the policy CLI).

Moving from to,, or any other OCI v2-compliant container registry is straightforward - please reach out to us in the community slack if you need any help!

For example, to move your content from to 

echo $PAT | policy login -s -u <username> -–password-stdin
policy pull<account>/<policy-name>:<tag>
policy tag<account>/<policy-name>:<tag><account>/<policy-name>:<tag>
policy push<account>/<policy-name>:<tag>

For Aserto users, we will continue to maintain the Aserto Policy Registry (, and you can continue to use the policy CLI with that registry.


We're excited how far we've come over the last year in getting OPA to natively consume policies packaged as OCI images. If you have any feedback or requests, don't hesitate to open an issue!


· 4 min read
Roie Schwaber-Cohen

The Open Policy Agent (OPA) is a general-purpose decision engine used in a wide variety of contexts where policies govern authorization and access-control. One of the most important value propositions of OPA is that it decouples decision logic (defined in the policy) from decision enforcement (which happens in the application or service). This decoupling allows the policy to be developed and managed separately from the application or service. Decision-making execution is delegated to the OPA engine, guaranteeing that the policies are consistently interpreted and enforced.

OPA is used to enforce policies in many contexts, including microservices, Kubernetes, CI/CD pipelines, and API gateways. Having a single engine and language for handling authorization policies across the stack is a huge advantage for developers: it allows for policy reuse and makes testing, automation, and maintenance easier.

OPA policies are written in Rego and then bundled into a compressed tarball. The tarball is then loaded into the target environment, where the policy is enforced.

We believe that OPA’s distribution workflow could be enhanced and improved by integrating it with two Linux Foundation OSS projects: OCIv2 - the industry standard for container image formats, and Sigstore, an open and pluggable standard for code signing.

Three interconnected concerns need to be addressed as part of the policy-as-code workflow: versioning, signing, and sharing.

  • Versioning a policy makes it easier to maintain, share and discover
  • Signing a policy makes it possible to trust that the policy’s content is what the consumer of the policy expects it to be
  • Sharing and discoverability of policies promote reuse and reduce duplication of code and effort.

· One min read
Omri Gazitt
Vlad Iovanov

We wrote a quick tutorial for getting started with the policy CLI.

It takes about 5 minutes to complete, and you'll learn how to:

  • build and tag OPA containers
  • push and pull OPA containers from the Open Policy Registry
  • sign and verify OPA containers with cosign
  • Run a read-eval-print loop, issuing queries to your OPA container

The full tutorial is here.

Happy hacking!