Knowledge Tree

Open Policy Agent (OPA)

Use OPA and Rego to enforce infrastructure policies against the knowledge graph. Validate resource configurations, tagging rules, and compliance requirements.

Overview

The OPA integration feeds the entire knowledge graph as an OPA input document, allowing you to write Rego policies that validate your infrastructure. Policies are evaluated on every discovery run, and violations are reported as findings attached to the relevant resources.

Policy-as-code meets graph data
Unlike static policy engines, OPA with Knowledge Tree evaluates policies against the full graph -- including relationships. This means you can write policies like "every internet-facing load balancer must have WAF attached" by traversing the graph.

Policy input

The OPA input document is a JSON representation of the knowledge graph for the scope being evaluated:

{
  "resources": [
    {
      "id": "i-abc123",
      "type": "aws_ec2_instance",
      "provider": "aws",
      "scope": "production",
      "tags": {"Environment": "production", "Owner": "platform"},
      "properties": {
        "instance_type": "t3.large",
        "subnet_id": "subnet-xyz"
      }
    }
  ],
  "relationships": [
    {
      "source": "i-abc123",
      "target": "sg-web",
      "type": "ATTACHED_TO"
    }
  ]
}

Rego examples

# Require Owner tag on all resources
package kt.tagging

violations[resource.id] {
  resource := input.resources[_]
  not resource.tags.Owner
}

# Internet-facing LBs must have WAF
package kt.security

violations[lb.id] {
  lb := input.resources[_]
  lb.type == "aws_alb"
  lb.properties.scheme == "internet-facing"
  not has_waf(lb)
}

has_waf(lb) {
  rel := input.relationships[_]
  rel.source == lb.id
  rel.type == "PROTECTED_BY"
  waf := input.resources[_]
  waf.id == rel.target
  waf.type == "aws_waf_web_acl"
}

Continuous compliance

OPA policies are evaluated as part of the discovery pipeline. Policy results are stored as findings:

  • Per-resource findings -- each violation is linked to the failing resource
  • Severity levels -- critical, high, medium, low (defined in policy metadata)
  • Trend tracking -- policy compliance trending over time
  • Reporting -- compliance reports exportable for audits
  • Remediation guidance -- optional remediation instructions embedded in policy

Configuration

# config.yaml
opa:
  policies:
    - path: "./policies/tagging.rego"
    - path: "./policies/security.rego"
    - path: "./policies/compliance.rego"
  evaluation:
    trigger: on_discovery_complete
    fail_on_error: false
  reporting:
    store_findings: true
    min_severity: medium