Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Toshinori Sugita
July 07, 2021
Technology
14k
1
Share
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
More Decks by Toshinori Sugita
See All by Toshinori Sugita
GKEを中心としたマルチプロダクト・マルチリージョン対応アプリケーションプラットフォームの継続的改善 / continuous improvement of GKE based application platform
toshi0607
1
170
組織を巻き込む大規模プラットフォーム移行戦略 〜50+サービスのマルチリージョン・マルチプロダクト化で学んだステークホルダー協働の実践〜 / Platform migration strategy engaging all stakeholders
toshi0607
2
6.6k
文系学部卒ソフトウェアエンジニアが Georgia Techコンピューターサイエンス修士課程で直面したもの / What a Liberal Arts Graduate Software Engineer Faced in Georgia Tech's Computer Science Master's Program
toshi0607
4
1.8k
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
toshi0607
5
9.3k
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
1
13k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
1
5.3k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
5
11k
Knativeへの誘い / Go Go Knative!
toshi0607
4
5.9k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
2
6.6k
Other Decks in Technology
See All in Technology
AI 時代の Platform Engineering
recruitengineers
PRO
1
220
Sansan Engineering Unit 紹介資料
sansan33
PRO
1
4.5k
PdM・Eng・QAで進めるAI駆動開発の現在地/aidd-with-pdm-eng-qa
shota_kusaba
0
250
20260515 ⾃分のアカウントとプライバシーを守る認証と認可の話〜利⽤者向け〜
oidfj
0
670
Purview 勉強会報告 Microsoft Purview 入門しようとしてみた
masakichixo
1
440
AI飲み会幹事エージェントを作っただけなのに
ykimi
0
230
ESP32 IoTを動かしながらメモリ使用量を観測してみた話
zozotech
PRO
0
140
AIエージェントの支払い基盤 AgentCore Payments概要
kmiya84377
2
200
20260515 ID管理は会社を守る大切な砦!〜🔰情シス向け〜
oidfj
0
610
写真で見るAWS Summit Singapore 2026
k_adachi_01
0
110
なぜ、IAMロールのプリンシパルに*による部分マッチングが使えないのか? / 20260518-ssmjp-iam-role-principal
opelab
1
130
Redmine次期バージョン7.0の注目新機能解説 — UI/UX強化と連携強化を中心に
vividtone
1
160
Featured
See All Featured
Designing Powerful Visuals for Engaging Learning
tmiket
1
370
Why Our Code Smells
bkeepers
PRO
340
58k
Heart Work Chapter 1 - Part 1
lfama
PRO
7
35k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
10k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
390
Visualization
eitanlees
151
17k
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.2k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
140
Being A Developer After 40
akosma
91
590k
Leadership Guide Workshop - DevTernity 2021
reverentgeek
1
280
Embracing the Ebb and Flow
colly
88
5k
Designing Experiences People Love
moore
143
24k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
toshi0607
recruitengineers
sansan33
.jpg){kind=avatar}
shota_kusaba
.png){kind=avatar}
oidfj
masakichixo
ykimi
zozotech
kmiya84377
k_adachi_01
opelab
vividtone
tmiket
bkeepers
lfama
eileencodes
mfonobong
eitanlees
charlesmeaden
marketingsoph
akosma
reverentgeek
colly
moore
