diff --git a/podvm/addons/opa/README.md b/podvm/addons/opa/README.md
new file mode 100644
index 0000000000..d6c639a590
--- /dev/null
+++ b/podvm/addons/opa/README.md
@@ -0,0 +1,6 @@
+## Introduction
+
+This is a skeleton addon
+
+To enable an addon, create a file `.enable` in the current addon directory as 
+well as in the top-level `podvm/addons` dir.
diff --git a/podvm/addons/opa/allow-all-except-exec-process.rego b/podvm/addons/opa/allow-all-except-exec-process.rego
new file mode 100644
index 0000000000..ec3bf15a9e
--- /dev/null
+++ b/podvm/addons/opa/allow-all-except-exec-process.rego
@@ -0,0 +1,39 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
+
+default ExecProcessRequest := false
diff --git a/podvm/addons/opa/allow-all.rego b/podvm/addons/opa/allow-all.rego
new file mode 100644
index 0000000000..7ac8134f03
--- /dev/null
+++ b/podvm/addons/opa/allow-all.rego
@@ -0,0 +1,38 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
diff --git a/podvm/addons/opa/kata-opa.service b/podvm/addons/opa/kata-opa.service
new file mode 100644
index 0000000000..3aaa5f0b3a
--- /dev/null
+++ b/podvm/addons/opa/kata-opa.service
@@ -0,0 +1,32 @@
+#
+# Copyright (c) 2023 Microsoft Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+[Unit]
+Description=Open Policy Agent for Kata Containers
+Documentation=https://github.com/kata-containers
+ConditionPathExists=/etc/kata-opa/default-policy.rego
+
+# kata-agent connects to OPA while starting up.
+Before=kata-agent.service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/opa run --server --disable-telemetry --addr 127.0.0.1:8181 --log-level info
+DynamicUser=yes
+RuntimeDirectory=kata-opa
+LimitNOFILE=1048576
+
+# Don't restart because there may be an active policy that would be lost.
+Restart=no
+
+# Send log output to tty to allow capturing debug logs from a VM vsock port.
+StandardError=tty
+
+# Discourage OOM-killer from touching the policy service.
+OOMScoreAdjust=-997
+
+[Install]
+WantedBy=multi-user.target
diff --git a/podvm/addons/opa/setup.sh b/podvm/addons/opa/setup.sh
new file mode 100755
index 0000000000..505f438542
--- /dev/null
+++ b/podvm/addons/opa/setup.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+
+#This is the dir in the pod vm image during build
+ADDONS_DIR="/tmp/addons"
+
+
+# Copy policy file
+mkdir -p /etc/kata-opa
+
+cp ${ADDONS_DIR}/opa/allow-all.rego /etc/kata-opa
+cp ${ADDONS_DIR}/opa/allow-all-except-exec-process.rego /etc/kata-opa
+
+# Create default rego policy
+ln -s /etc/kata-opa/allow-all.rego /etc/kata-opa/default-policy.rego
+
+
+# Create service file
+
+cp ${ADDONS_DIR}/opa/kata-opa.service /etc/systemd/system/kata-opa.service
+
+systemctl enable kata-opa.service
+
+# PODVM_DISTRO variable is set as part of the podvm image build process
+# and available inside the packer VM
+if  [[ "$PODVM_DISTRO" == "ubuntu" ]] || [[ "$PODVM_DISTRO" == "rhel" ]]; then
+	# Copy opa binary in /usr/local/bin
+	curl -L -o opa https://openpolicyagent.org/downloads/v0.58.0/opa_linux_amd64_static
+	install -D -o root -g root -m 0755 opa -T /usr/local/bin/opa
+
+fi
+
+
+