Sign in Subscribe
Concepts

The license changed, and the industry took notice.

Andrios Robert

1 min read

Open Policy Agent (OPA) is one of the most widely adopted open-source tools for policy enforcement across cloud-native systems. For years, it was governed by the Apache 2.0 license, making it easy for anyone to use, modify, and distribute without many restrictions. But in April 2024, the Open Policy Agent project introduced a new licensing model that changes how companies integrate and ship it at scale.

The OPA licensing model now follows the Business Source License (BSL). This shift has major implications for vendors and teams embedding OPA into commercial products. Under BSL, the code is free to use for evaluation, development, and internal purposes — but commercial use at scale requires a separate agreement. After a defined change date (usually four years), the code automatically reverts to the Apache 2.0 license.

Why the change? The maintainers want to ensure sustainable development and fair monetization for companies relying heavily on OPA. The new policy aligns with a growing trend among open-source projects that seek to protect themselves from being repackaged and sold by third parties without contributing back.

What does this mean for engineering and product teams?

  • If you run OPA in internal infrastructure, the impact is minimal.
  • If you embed OPA in a SaaS or PaaS offering, review the license terms closely.
  • If you distribute OPA as part of a product that generates revenue, expect to negotiate a commercial license.

The OPA licensing model does not change the way policies are written in Rego or how they are enforced across services. It does, however, affect the business and operational context for deploying OPA at production scale. Teams using OPA in Kubernetes, Envoy, CI/CD pipelines, or API gateways must now track licensing obligations alongside configuration and performance.

Migrating to an alternative policy engine is possible, but it comes with high switching costs. Staying with OPA under the new model may involve direct vendor relationships. Either path requires legal and engineering alignment early in the planning cycle.

If you want to explore modern policy enforcement without worrying about breaking license terms, hoop.dev offers an instant, hosted environment to prototype policy workflows. See it live in minutes — no local setup, no risk of hidden licensing surprises.