RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: Open Policy Agent (OPA)解除 ×

Open Policy Agent (OPA)

Security2026年6月25日

v1.18.0 is a bugfix rollup with one operator-facing behavior change: the outbound User-Agent header is now hyphenated to conform to RFC 9110. The remaining changes are runtime improvements, formatter and coverage tool fixes, and a Go toolchain bump.

  • breakingUser-Agent header format changed (RFC 9110 conformance)

    The outbound User-Agent header OPA sends on HTTP requests changed from 'Open Policy Agent/<version> (<os>, <arch>)' to 'Open-Policy-Agent/<version> (<os>, <arch>)' (hyphen added between 'Open' and 'Policy'). Any server-side log filters, WAF rules, or access policies that exact-match the old string must be updated after upgrading to v1.18.0.

主な変更 (7)
  • User-Agent header now uses 'Open-Policy-Agent' (hyphenated) instead of 'Open Policy Agent'; exact-match log filters or WAF rules targeting the old string will break
  • Container-aware resource limits restored and extended: automatic GOMAXPROCS support is back, and automatic GOMEMLIMIT is newly supported
  • Multiple opa fmt correctness fixes: multiline single-entry iterables are preserved, and with-clauses dropped after comments are restored
  • opa test --coverage improvements: ranges now included in the report, inline rule head tracking, and conjunction expression coverage added
  • Fixed partial evaluation regression for future.keywords.not negation inside every blocks, and fixed variable namespacing in comprehensions nested inside every
  • Performance: reduced allocations in object.get, removed a shortcut in topdown dst.Compare(src), and skipped strconv.ParseInt in the format_int base-10 fast path
  • Go bumped from 1.26.3 to 1.26.4; various website and node dependencies also updated
原文

Open Policy Agent (OPA)

Security2026年5月28日

OPA v1.17.0 fixes a semantic bug in negation handling and improves decision log label reporting. Most changes are enhancements; one dependency removal requires manual GOMAXPROCS configuration in some environments.

  • breakingRemoved automaxprocs and x/net dependencies; configure GOMAXPROCS manually if needed

    OPA v1.17.0 removes the automaxprocs and x/net dependencies, reducing the runtime footprint and eliminating potential conflicts with applications that also manage those libraries. No action is required unless your deployment explicitly depends on automaxprocs behavior (automatic CPU detection and GOMAXPROCS tuning). If you rely on that behavior, you may need to configure GOMAXPROCS explicitly in your environment or deployment. Most users will see no impact.

  • enhancementImport future.keywords.not to fix negation semantics in composite expressions

    OPA v1.17.0 introduces a new `future.keywords.not` import that fixes a long-standing semantic bug where negation of composite expressions (`not f(g(input.x))`) would fail silently if any intermediate value was undefined, instead of correctly succeeding. With the import enabled, undefined intermediates no longer cause rule failure. If your policies rely on negation of complex expressions where inputs or function results might be undefined, import `future.keywords.not` to fix unintuitive failures. This is a behavioral change that may affect policy evaluation, but in the direction of correctness.

  • enhancementUpdate decision log parsing for new rule_labels array format

    Decision logs now include a new top-level `rule_labels` array that collects labels from all successfully evaluated rules in a single entry, with inner-scope-wins precedence (rule > document > package > subpackages). This replaces the previous behavior of one log entry per label-contributing scope. If you parse or query decision logs by rule labels, update your log parsing logic to read from `rule_labels` as an array of merged label maps rather than individual scope-level entries. This change simplifies label aggregation and is now processed by default in both runtime and Go SDK.

主な変更 (5)
  • New `future.keywords.not` import fixes unintuitive failures when negating composite expressions with undefined intermediates.
  • Decision logs now include `rule_labels` array with merged labels from all successfully evaluated rules.
  • Bundle manifest and IR plan JSON schemas are now published for validation and tooling integration.
  • Removed automaxprocs and x/net dependencies to reduce runtime footprint.
  • Pattern validation enabled in `json.verify_schema` and `json.match_schema` builtin functions.
原文

Open Policy Agent (OPA)

Security2026年4月30日

v1.16.0 brings new URI builtins, Data API metadata support, OTLP metrics export, and critical fixes for log dropping and log buffer eviction bugs introduced in v1.15.x.

  • securityunits.parse_bytes exponent cap prevents timeout bypass

    Extremely large exponent values in units.parse_bytes could be used to cause evaluation timeouts, potentially bypassing policy enforcement. This is fixed in v1.16.0 by capping the exponent size. If your policies accept user-controlled input that gets passed to units.parse_bytes, this fix is directly relevant — upgrade and review any policies that parse byte strings from untrusted sources.

  • breakingUpgrade from v1.15.x immediately — logs are silently dropped

    A BufferedLogger bug in v1.15.x caused bundle download logs, print() debug output, and plugin logs to be dropped after the first flush. This is silent data loss in your observability stack. If you're running v1.15.x in any environment where decision logs or debug output matter, upgrade to v1.16.0 now. Check your log pipeline for gaps if you've been running v1.15.x in production.

  • enhancementUse new uri.parse / uri.is_valid builtins to replace fragile regex-based URL validation

    Many OPA policies today use regex or string manipulation to validate or decompose URLs — a brittle approach. The new uri.parse builtin returns structured RFC 3986 components (scheme, host, path, query, etc.), and uri.is_valid does a clean true/false structural check. If you have policies handling redirect URIs, webhook URLs, or any URL-bearing input, replace your custom parsing logic with these builtins. The structured output makes it easier to write precise, readable rules.

主な変更 (5)
  • New uri.parse and uri.is_valid builtins for RFC 3986-compliant URI handling in policy
  • Data API now supports request/response metadata for wrapping projects — custom fields logged under decision log Custom['request_metadata']
  • Prometheus metrics can now be exported via OTLP, unifying observability pipelines
  • Critical fix: v1.15.x dropped logs for bundle downloads, print() calls, and plugin-originated logs — upgrade immediately if on v1.15.x
  • units.parse_bytes exponent size now capped to prevent potential timeout bypass (security hardening)
原文

Open Policy Agent (OPA)

Security2026年3月26日

OPA v1.15.0 adds a pluggable logging system with file rotation, breaks custom HTTPAuthPlugin implementations, and extends AWS signing to support web identity credentials.

  • breakingAudit and fix custom HTTPAuthPlugin implementations before upgrading

    If you've built a custom HTTPAuthPlugin, NewClient() is now called once per Client instance, not per request. Any per-request logic (counters, transport wrapping, logging side effects) sitting in NewClient() will now execute exactly once and silently produce wrong behavior. Before upgrading, audit your plugin and move all per-request logic to Prepare(). OPA's own built-in plugins are already updated, so this only affects teams with custom plugins.

  • enhancementAdopt the file logger plugin to consolidate OPA log management

    The new file_logger plugin writes structured JSON logs with automatic rotation, covering both runtime and decision logs through a single configuration block under server.logger_plugin. If you're currently tailing OPA stdout or piping to an external log shipper, switching to the file logger reduces operational complexity and gives you rotation out of the box. Decision log plugin output via the same logger plugin is a clean alternative to the HTTP bundle endpoint for low-latency environments.

  • enhancementEnable web identity credentials for AWS-backed OPA deployments on EKS

    OPA running on EKS with IRSA (IAM Roles for Service Accounts) can now use Web Identity tokens directly for Assume Role credential flows in AWS Signing. If you've been working around this with instance profile credentials or manual token injection, you can now configure this natively. Update your REST plugin AWS signing config to use the web identity provider and align with standard EKS IAM patterns.

主な変更 (5)
  • New logger plugin interface (based on Go's slog.Handler) lets you route OPA runtime and decision logs to custom destinations, including a built-in file logger with rotation via lumberjack
  • Breaking: HTTPAuthPlugin.NewClient() is now called once and cached — per-request logic there will silently stop working; move it to Prepare()
  • AWS Signing now supports Web Identity (Service Account) credentials for Assume Role flows
  • TLS client cert re-reads are now configurable via cert_reread_interval_seconds, with content hashing to skip unnecessary re-parses
  • All TLS configurations now inherit server-level minimum version and ciphersuite settings — previously per-client TLS configs could diverge
原文

Open Policy Agent (OPA)

Security2026年3月9日

OPA v1.14.1 is a patch release that reverts rule indexer changes causing lookup failures and fixes a plugin manager deadlock, while updating dependencies for security vulnerabilities.

  • securitySecurity updates in dependencies

    This release includes Go 1.26.1 and updated dependencies that patch known vulnerabilities. Schedule this upgrade as part of your regular security maintenance cycle, especially if you're running OPA in production.

  • breakingUpgrade immediately if using v1.14.0

    The rule indexer changes in v1.14.0 cause policy lookup failures for some configurations. Deploy v1.14.1 to restore reliable policy evaluation. The optimization will return in v1.15.0 with proper fixes.

  • enhancementPlugin manager stability improved

    The deadlock fix resolves intermittent hangs during configuration operations. If you've experienced unexplained OPA freezes during plugin configuration, this release should eliminate those issues.

主な変更 (4)
  • Reverted rule indexer optimization from v1.14.0 that caused unexpected policy lookup failures
  • Fixed intermittent deadlock in plugins manager during opa.configure operations
  • Updated Go to version 1.26.1 and refreshed dependency versions
  • Addressed various Golang standard library and package vulnerabilities
原文