Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Toshinori Sugita
July 07, 2021
Technology
0
13k
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
Tweet
Share
More Decks by Toshinori Sugita
See All by Toshinori Sugita
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
0
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
0
4.8k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
4
11k
Knativeへの誘い / Go Go Knative!
toshi0607
3
5.3k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
1
6k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
toshi0607
9
14k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
toshi0607
1
6.7k
Goで学ぶKnative #mercarigo / learning Knative with Go
toshi0607
5
24k
入門 Knative 〜KubernetesとServerlessとの出会い〜 / getting started with knative
toshi0607
8
9.2k
Other Decks in Technology
See All in Technology
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
390
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
100
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.7k
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
300
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
160
Flutterによる 効率的なAndroid・iOS・Webアプリケーション開発の事例
recruitengineers
PRO
0
120
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
SSMRunbook作成の勘所_20241120
koichiotomo
3
160
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
Featured
See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
900
Documentation Writing (for coders)
carmenintech
65
4.4k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Into the Great Unknown - MozCon
thekraken
32
1.5k
GitHub's CSS Performance
jonrohan
1030
460k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Designing Experiences People Love
moore
138
23k
The Cult of Friendly URLs
andyhume
78
6k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
toshi0607
oracle4engineer
tacck
spycwolf
akexorcist
ysknsid25
tsumita
kimujun
recruitengineers
koichiotomo
uhyo
destraynor
hatefulcrawdad
reverentgeek
carmenintech
thoeni
scottboms
chriscoyier
thekraken
jonrohan
jcasabona
moore
andyhume
