OPA Rego Vocabulary — Policy Rules and Documents

Practice the precise vocabulary used when writing, discussing, and reviewing OPA (Open Policy Agent) policies in Rego: how rules are expressed, how documents are described, and how policy decisions are communicated to teammates.

Vocabulary Reference

policy rule: A named Rego expression that produces a value (boolean, string, set, or object) when its body evaluates to true. E.g., allow { input.role == "admin" }.
allow / deny: Conventional Rego rule names for the final access decision. allow = true grants; deny (or default allow = false) blocks unless an explicit rule fires.
input document: The JSON object OPA receives at query time describing the thing being evaluated — e.g., the Kubernetes admission request, the API call, or the Terraform resource.
data document: Static or dynamically loaded JSON available to all Rego rules under the data global — used for allowlists, role maps, and policy-time configuration that is not part of the request.
"the policy evaluates to": Standard phrase for describing what a policy decision returns: "The policy evaluates to deny because the image tag is latest."