Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OPA and cloud resources

Avatar for Toshinori Sugita Toshinori Sugita
July 07, 2021
Technology
0
13k

OPA and cloud resources

Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Avatar for Toshinori Sugita

Toshinori Sugita

July 07, 2021
Tweet

More Decks by Toshinori Sugita

See All by Toshinori Sugita
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
Avatar for Toshinori Sugita toshi0607
5
5.7k
KompalWeather: Serverless Sauna Service with Cloud Run
Avatar for Toshinori Sugita toshi0607
0
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
Avatar for Toshinori Sugita toshi0607
0
5k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
Avatar for Toshinori Sugita toshi0607
4
11k
Knativeへの誘い / Go Go Knative!
Avatar for Toshinori Sugita toshi0607
3
5.5k
Build serverless application on top of Kubernetes #sdmel19
Avatar for Toshinori Sugita toshi0607
1
6.2k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
Avatar for Toshinori Sugita toshi0607
9
15k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
Avatar for Toshinori Sugita toshi0607
1
7k
Goで学ぶKnative #mercarigo / learning Knative with Go
Avatar for Toshinori Sugita toshi0607
5
24k

Other Decks in Technology

See All in Technology
続・やっぱり余白が大切だった話
Avatar for KAKEHASHI kakehashi
PRO
2
120
Winning at PHP in Production in 2025
Avatar for Benjamin Eberlei beberlei
1
270
白金鉱業Meetup_Vol.18_AIエージェント時代のUI/UX設計
Avatar for BrainPad brainpadpr
1
270
AWSの新機能検証をやる時こそ、Amazon Qでプロンプトエンジニアリングを駆使しよう
Avatar for k-kun duelist2020jp
1
330
Dynamic Reteaming And Self Organization
Avatar for Miho Nagase miholovesq
3
740
もう難しくない!誰でもカンタンDocker入門 〜30分であなたのPCにアプリを立ち上げる〜
Avatar for とことんDevOps devops_vtj
0
180
バクラクの認証基盤の成長と現在地 / bakuraku-authn-platform
Avatar for convto convto
4
890
Microsoft Fabric vs Databricks vs (Snowflake) -若手エンジニアがそれぞれの強みと違いを比較してみた- "A Young Engineer's Comparison of Their Strengths and Differences"
Avatar for 大竹礼二(REIJI OTAKE) reireireijinjin6
1
130
ガバクラのAWS長期継続割引 ~次の4/1に慌てないために~
Avatar for ひよこインフラエンジニア hamijay_cloud
1
580
生成AIによるCloud Native基盤構築の可能性と実践的ガードレールの敷設について
Avatar for nwiizo nwiizo
7
1.4k
Notion x ポストモーテムで広げる組織の学び / Notion x Postmortem
Avatar for Isao Shimizu isaoshimizu
1
150
AIにおけるソフトウェアテスト_ver1.00
Avatar for fumisuke fumisuke
1
330

Featured

See All Featured
It's Worth the Effort
Avatar for 3n 3n
184
28k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
40
7.2k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.2k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
57k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
179
53k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
35
2.7k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
329
39k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
91
6k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
75
5.8k
Code Review Best Practice
Avatar for Trisha Gee trishagee
67
18k

Transcript

  1. 1 OPA & cloud resources July 7th 2021, Open Policy

    Agent Rego Knowledge Sharing Meetup @toshi0607

  2. 2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job

    ◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3

  3. 3 OPA in Mercari • Preparing guardrails for Istio at

    scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest

  4. 4 OPA in Mercari for Kubernetes • Capabilities • Host

    namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type

  5. 5 Example: Capabilities

  6. 6 Example: Capabilities

  7. 7 OPA for cloud resources • Domain agnostic and general

    purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2

  8. 8 Differences from use cases for Kubernetes • No gatekeeper

    ◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test

  9. 9 Differences from existing Terraform tools • terraform fmt ◦

    Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)

  10. 10 Use cases • Production readiness check ◦ Cloud SQL

    backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination

  11. 11 Example: Terraform module

  12. 12 Takeaways • OPA & Conftest support not only Kubernetes

    but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support