Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Toshinori Sugita
July 07, 2021
Technology
1
13k
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
Tweet
Share
More Decks by Toshinori Sugita
See All by Toshinori Sugita
組織を巻き込む大規模プラットフォーム移行戦略 〜50+サービスのマルチリージョン・マルチプロダクト化で学んだステークホルダー協働の実践〜 / Platform migration strategy engaging all stakeholders
toshi0607
2
740
文系学部卒ソフトウェアエンジニアが Georgia Techコンピューターサイエンス修士課程で直面したもの / What a Liberal Arts Graduate Software Engineer Faced in Georgia Tech's Computer Science Master's Program
toshi0607
4
430
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
toshi0607
5
7.1k
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
1
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
1
5.1k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
5
11k
Knativeへの誘い / Go Go Knative!
toshi0607
4
5.7k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
2
6.4k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
toshi0607
10
15k
Other Decks in Technology
See All in Technology
小学4年生夏休みの自由研究「ぼくと Copilot エージェント」
taichinakamura
0
490
GA technologiesでのAI-Readyの取り組み@DataOps Night
yuto16
0
280
自作LLM Native GORM Pluginで実現する AI Agentバックテスト基盤構築
po3rin
2
270
Why React!?? Next.jsそしてReactを改めてイチから選ぶ
ypresto
10
4.5k
10年の共創が示す、これからの開発者と企業の関係 ~ Crossroad
soracom
PRO
1
540
From Prompt to Product @ How to Web 2025, Bucharest, Romania
janwerner
0
120
Why Governance Matters: The Key to Reducing Risk Without Slowing Down
sarahjwells
0
110
社内お問い合わせBotの仕組みと学び
nish01
0
450
Azure SynapseからAzure Databricksへ 移行してわかった新時代のコスト問題!?
databricksjapan
0
150
Findy Team+のSOC2取得までの道のり
rvirus0817
0
370
OCI Network Firewall 概要
oracle4engineer
PRO
1
7.8k
KMP の Swift export
kokihirokawa
0
340
Featured
See All Featured
Building Applications with DynamoDB
mza
96
6.6k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
9
580
The Art of Programming - Codeland 2020
erikaheidi
56
14k
Embracing the Ebb and Flow
colly
88
4.8k
Optimising Largest Contentful Paint
csswizardry
37
3.4k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
610
Making the Leap to Tech Lead
cromwellryan
135
9.5k
We Have a Design System, Now What?
morganepeng
53
7.8k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
960
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Building Adaptive Systems
keathley
43
2.8k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
toshi0607
taichinakamura
yuto16
po3rin
ypresto
soracom
janwerner
sarahjwells
nish01
databricksjapan
rvirus0817
oracle4engineer
kokihirokawa
mza
tammyeverts
erikaheidi
colly
csswizardry
yeseniaperezcruz
bluesmoon
cromwellryan
morganepeng
irinanazarova
afnizarnur
keathley
