docs/docs/ocp/index.md
OPA Control Plane (OCP) simplifies how you manage policies for your OPA deployments. It provides a centralized management system to control how OPA instances receive the policies and data they need to make decisions. OCP provides:
Follow this section to get a quick example running on your laptop. By following these instructions, you will be able to:
This example is designed for rapid iteration and learning, making it ideal for new users who want to understand OCP's fundamental concepts and operational flow in a controlled, personal setting. The focus is on simplicity and clarity, ensuring that each step is easy to follow and the outcomes are immediately visible.
Install the opactl tool using one of the install methods listed below.
The bundle is defined by a configuration file normally in the config.d directory. More details can be found in the Concepts section, but for now lets use this configuration. In your working directory add the following to ./config.d/hello.yaml
bundles:
hello-world:
object_storage:
filesystem:
path: bundles/hello-world/bundle.tar.gz
requirements:
- source: hello-world
sources:
hello-world:
directory: files/sources/hello-world
paths:
- rules/rules.rego
Define a simple policy for this bundle. Add the following
to ./files/sources/hello-world/rules/rules.rego
package rules
import rego.v1
default allow := false
allow if {
input.user == "alice"
}
In your working directory run the build command:
opactl build
You could set up a simple server to serve up the bundle, but for now, use OPA to watch the bundle. Run this in your working directory:
opa run -s -w ./bundles/hello-world/bundle.tar.gz
You should now be able to test the policy running in OPA. Using the following curl:
curl localhost:8181/v1/data/rules/allow -d '{"input":{"user":"alice"}}'
You can also try changing the policy in ./files/sources/hello-world/rules/rules.rego. After you make the change, rerun the build command from above to see the changes reflected in OPA.
If you start OCP outside of Docker without any arguments, it prints a list of available commands. By default, the official
OCP Docker image executes the run command. Some of the arguments for OCP's run command are:
--addr to set the listening address (default: localhost:8282).--log-level to set the log level (default: "info").OCP Docker images are available on Docker Hub for the edge releases (i.e. tip of main branch). To get more information
on the other run command arguments:
docker run openpolicyagent/opa-control-plane:edge run --help
To build the OCP binary, locally run the following command from the root folder. You will need to have a recent version of Go installed.
make build
The binary will be created in the form opactl_<OS>_<ARCH> (e.g., opactl_darwin_arm64, opactl_linux_amd64).
# Example for macOS/Linux (adjust filename for your platform)
chmod +x ./opactl_darwin_amd64
./opactl_darwin_amd64 version