Decision tree

OPA, Kyverno, Cedar — which engine, where.

Policy-as-code is how architecture principles stop being PDFs. The right engine depends almost entirely on where the decision gets evaluated, not on language preference. This tree walks the three serious options across admission, CI, IaC, and application-authorisation surfaces.

3 questions max5 end-states~3-4 minShareable via URL hash

If JavaScript is disabled — the questions in this tree

  1. Where will policy decisions need to be evaluated?
  2. Do you have, or are you ready to invest in, Rego skill on the team?
  3. Is the authz model fixed-RBAC, or does it need fine-grained ReBAC / ABAC with policy-language flexibility?

Re-enable JavaScript to step through interactively. Or jump straight to the related artefacts: diagnostics · reference architectures · writing.

Also on this site