Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OPA and cloud resources

OPA and cloud resources

Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/

Toshinori Sugita

July 07, 2021
Tweet

More Decks by Toshinori Sugita

Other Decks in Technology

Transcript

  1. 1 OPA & cloud resources July 7th 2021, Open Policy

    Agent Rego Knowledge Sharing Meetup @toshi0607
  2. 2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job

    ◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
  3. 3 OPA in Mercari • Preparing guardrails for Istio at

    scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
  4. 4 OPA in Mercari for Kubernetes • Capabilities • Host

    namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
  5. 7 OPA for cloud resources • Domain agnostic and general

    purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
  6. 8 Differences from use cases for Kubernetes • No gatekeeper

    ◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
  7. 9 Differences from existing Terraform tools • terraform fmt ◦

    Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
  8. 10 Use cases • Production readiness check ◦ Cloud SQL

    backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
  9. 12 Takeaways • OPA & Conftest support not only Kubernetes

    but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support