Problem
Rego is too much to ask of most application teams as the primary authoring surface. The engine is powerful and should remain, but the current experience makes teams feel they need to learn Rego just to express common allow rules and policy templates. That creates unnecessary adoption friction.
Why this matters
The product should not force every team into policy-language expertise before they can use the core value. The current approach also makes basic setup feel more complicated than it needs to be, even when the underlying system already supports templates, validation, preview, and simulation.
Potential solution
Add a declarative allow-rule layer in the Console and API for the common case: application, resource, scopes, and labels. Compile that layer into the existing Rego template pipeline, preserving versioning, validation, simulation, and activation exactly as they work today. Keep raw Rego as the escape hatch for advanced cases.
Open questions
Someone should reason further on the boundary between the declarative layer and raw Rego: which policy shapes belong in the simplified path, and which should stay template-only or Rego-only.
Acceptance criteria
- Common policies can be authored without writing Rego.
- Generated policies remain inspectable and versioned.
- Validation, preview, simulation, and activation continue to work unchanged.
- Advanced Rego remains supported for long-tail cases.
Release note
This is not part of the current major release. It should be targeted for the next major release.
Problem
Rego is too much to ask of most application teams as the primary authoring surface. The engine is powerful and should remain, but the current experience makes teams feel they need to learn Rego just to express common allow rules and policy templates. That creates unnecessary adoption friction.
Why this matters
The product should not force every team into policy-language expertise before they can use the core value. The current approach also makes basic setup feel more complicated than it needs to be, even when the underlying system already supports templates, validation, preview, and simulation.
Potential solution
Add a declarative allow-rule layer in the Console and API for the common case: application, resource, scopes, and labels. Compile that layer into the existing Rego template pipeline, preserving versioning, validation, simulation, and activation exactly as they work today. Keep raw Rego as the escape hatch for advanced cases.
Open questions
Someone should reason further on the boundary between the declarative layer and raw Rego: which policy shapes belong in the simplified path, and which should stay template-only or Rego-only.
Acceptance criteria
Release note
This is not part of the current major release. It should be targeted for the next major release.