Key terms and concepts used throughout ops0.
A lightweight service installed in your Kubernetes cluster that enables ops0 to monitor pods, collect metrics, and respond to incidents. The agent communicates securely with ops0's API.
The Terraform/OpenTofu command that creates, updates, or deletes infrastructure to match your configuration. In ops0, apply runs after a successful plan and policy check.
A process requiring one or more team members to review and approve changes before they're deployed. Configured per-project based on environment (e.g., production requires approval).
A record of all actions taken in ops0, including who did what and when. Used for compliance, security analysis, and troubleshooting.
A reusable project template that contains pre-configured IaC code, variable defaults, and settings. Create new projects from blueprints to standardize infrastructure patterns across your organization.
A static analysis tool that scans Terraform and OpenTofu files for security misconfigurations before deployment. ops0 integrates Checkov alongside OPA/Rego for layered security scanning.
A Kubernetes cluster connected to ops0. Can be any managed Kubernetes (EKS, GKE, AKS) or self-hosted cluster with the ops0 agent installed.
A percentage representing how many resources pass policy checks. 100% means no violations; lower scores indicate policy violations that need attention.
The practice of managing server configurations (packages, files, users, services) using tools like Ansible, Chef, or Puppet. Distinct from IaC which provisions infrastructure.
The process of applying infrastructure changes to your cloud environment. In ops0, a deployment includes plan, policy check, optional approval, and apply phases.
An ops0 feature that scans your cloud accounts to find existing resources and produce Terraform code for them. Helps bring unmanaged infrastructure under IaC control.
When actual infrastructure state differs from what's defined in code. ops0 can detect drift and show you what's changed.
A single scan run within Discovery. Each session captures a snapshot of your cloud resources at a point in time. Sessions can be compared to track changes over time.
A security identifier used in AWS Assume Role configurations. Prevents confused deputy attacks by ensuring only authorized parties can assume the role.
Two-way synchronization between ops0 projects and GitHub repositories. Changes in either location sync automatically, enabling GitOps workflows.
A practice where Git is the single source of truth for infrastructure. Changes are made via pull requests, reviewed, and automatically deployed when merged.
The practice of defining infrastructure using declarative configuration files instead of manual processes. ops0 supports Terraform, OpenTofu, and Oxid, with Pulumi and CloudFormation support upcoming.
An issue detected by ops0 in your Kubernetes cluster, such as pod crashes, OOMKills, or failed deployments. Incidents include context and suggested remediation.
A connection between ops0 and an external service (AWS, GCP, Azure, GitHub, Slack). Integrations provide credentials and permissions for ops0 to interact with those services.
A Kubernetes-native policy engine that enforces rules on cluster resources using YAML policies. ops0 uses Kyverno for Kubernetes policy enforcement alongside OPA/Rego for IaC policies.
An open-source Kubernetes cost monitoring tool. ops0 integrates OpenCost for per-namespace, per-pod, and per-controller cost breakdowns with efficiency metrics and optimization recommendations.
An open-source fork of Terraform maintained by the Linux Foundation. Fully compatible with Terraform configurations and state files. ops0 supports OpenTofu as a first-class IaC engine.
The policy engine ops0 uses to evaluate infrastructure against your rules. Policies are written in Rego, OPA's query language.
A Rust-based IaC engine that stores Terraform/OpenTofu state in a PostgreSQL database instead of cloud object storage. ops0 supports Oxid as a first-class IaC type with automatic post-deployment state sync.
The top-level container in ops0. Contains users, teams, projects, integrations, and settings. Typically maps to a company or business unit.
A preview of what changes Terraform/OpenTofu will make before applying. Shows resources to be created, modified, or destroyed. Essential for reviewing changes safely.
A rule that evaluates infrastructure code or runtime behavior. Policies can warn or block deployments. Written in Rego and evaluated before apply.
A workspace in ops0 containing infrastructure code (IaC project) or configuration code (Configuration project). Projects have their own files, deployments, and settings.
An interactive interface for exploring your infrastructure state using natural language. Ask questions in plain English about resources, dependencies, costs, vulnerabilities, and project relationships. Powered by Oxid's PostgreSQL backend with cost and vulnerability overlays, saved queries, and CSV/JSON export.
The query language used by Open Policy Agent. Used to write ops0 policies. Example: deny[msg] { input.resource.type == "aws_s3_bucket"; not input.resource.encryption }.
A set of permissions that can be assigned to users. Built-in roles include Owner, Admin, Developer, and Viewer. Custom roles can be created.
Cloning an IaC project to a different cloud provider, region, or account. ops0's AI transforms resource definitions between clouds (e.g., AWS to GCP) and regenerates provider and backend configurations automatically.
Reverting infrastructure to a previous state. In ops0, you can restore any previous deployment version.
Terraform's record of what infrastructure it manages. Maps configuration to real resources. ops0 manages state securely by default.
A single action within a workflow. Types include IaC Deploy, Script, HTTP Request, Approval, and more. Steps execute sequentially or in parallel.
A pre-send scanning system that detects credentials, PII, and secrets in messages before they are sent to the AI assistant. Uses pattern matching and Microsoft Presidio to identify and optionally redact sensitive data.
Intentionally ignoring a policy violation. Requires justification and can have an expiration date. Suppressed violations don't affect compliance scores.
A group of users within an organization. Teams can be granted access to specific projects with specific roles. Enables department-level permissions.
HashiCorp's infrastructure provisioning tool. The most widely used IaC tool. ops0 supports Terraform as a first-class IaC type.
A container vulnerability scanner. ops0 integrates the Trivy Operator into Kubernetes clusters to scan running container images for CVEs in OS packages and application dependencies.
What starts a workflow execution. Types include manual, scheduled (cron), webhook, Git push, incident, and workflow completion.
An interactive visualization of cross-project IaC dependencies. Shows how outputs from one project feed into variables of another via terraform_remote_state, with impact analysis and blast radius assessment.
A policy check failure. Violations have severity (Critical, High, Medium, Low) and can block deployments or just warn. Track violations in the Compliance dashboard.
An automated sequence of steps triggered by an event. Used for CI/CD pipelines, scheduled tasks, incident response, and multi-step operations.
| Abbreviation | Meaning |
|---|---|
| IaC | Infrastructure as Code |
| K8s | Kubernetes |
| OPA | Open Policy Agent |
| RBAC | Role-Based Access Control |
| SSO | Single Sign-On |
| OIDC | OpenID Connect |
| SAML | Security Assertion Markup Language |
| IAM | Identity and Access Management |
| VPC | Virtual Private Cloud |
| EKS | Elastic Kubernetes Service (AWS) |
| GKE | Google Kubernetes Engine |
| AKS | Azure Kubernetes Service |
