Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OPA and cloud resources

Avatar for Toshinori Sugita Toshinori Sugita
July 07, 2021
Technology
0
13k

OPA and cloud resources

Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Avatar for Toshinori Sugita

Toshinori Sugita

July 07, 2021
Tweet

More Decks by Toshinori Sugita

See All by Toshinori Sugita
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
Avatar for Toshinori Sugita toshi0607
5
6k
KompalWeather: Serverless Sauna Service with Cloud Run
Avatar for Toshinori Sugita toshi0607
0
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
Avatar for Toshinori Sugita toshi0607
0
5k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
Avatar for Toshinori Sugita toshi0607
4
11k
Knativeへの誘い / Go Go Knative!
Avatar for Toshinori Sugita toshi0607
3
5.6k
Build serverless application on top of Kubernetes #sdmel19
Avatar for Toshinori Sugita toshi0607
1
6.2k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
Avatar for Toshinori Sugita toshi0607
9
15k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
Avatar for Toshinori Sugita toshi0607
1
7k
Goで学ぶKnative #mercarigo / learning Knative with Go
Avatar for Toshinori Sugita toshi0607
5
24k

Other Decks in Technology

See All in Technology
積み上げられた技術資産と向き合いながら、プロダクトの信頼性をどう守るか
Avatar for PLAID Tech plaidtech
PRO
0
260
技術書典18結果報告
Avatar for Mutz mutsumix
2
170
シンプルな設定ファイルで実現する AWS IAM Identity Center のユーザー管理と開発チームへの委譲 / Delegating AWS IAM Identity Center User Management with a Simple DSL
Avatar for Takashi Yamaguchi yamaguchitk333
3
520
ソフトウェアテストのAI活用_ver1.10
Avatar for fumisuke fumisuke
0
220
GigaViewerにおけるMackerel APM導入の裏側
Avatar for koudenpa 7474
0
420
2025advance01
Avatar for minamizaki minamizaki
0
120
新卒から4年間、20年もののWebサービスと向き合って学んだソフトウェア考古学 - PHPカンファレンス新潟2025 / new graduate 4year software archeology
Avatar for guri oguri
2
340
Rebase エンジニアリング組織の現状とこれから
Avatar for 株式会社Rebase_エンジニアリング rebase_engineering
0
130
令和トラベルQAのAI活用
Avatar for ao seigaitakahiro
0
480
人とAIとの共創を夢見た2か月 #共創AIミートアップ / Co-Creation with Keito-chan
Avatar for kondoyuko kondoyuko
1
650
大事なのは、AIの精度だけじゃない!〜1円のズレも許されない経理領域とAI〜
Avatar for Jun Nemoto jun_nemoto
10
5k
名刺メーカーDevグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
740

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.8k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
53k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
1
71
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
35
2.7k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
85
4.7k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
271
27k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
28
5.4k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
71
11k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
29
9.5k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
123
52k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k

Transcript

  1. 1 OPA & cloud resources July 7th 2021, Open Policy

    Agent Rego Knowledge Sharing Meetup @toshi0607

  2. 2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job

    ◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3

  3. 3 OPA in Mercari • Preparing guardrails for Istio at

    scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest

  4. 4 OPA in Mercari for Kubernetes • Capabilities • Host

    namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type

  5. 5 Example: Capabilities

  6. 6 Example: Capabilities

  7. 7 OPA for cloud resources • Domain agnostic and general

    purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2

  8. 8 Differences from use cases for Kubernetes • No gatekeeper

    ◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test

  9. 9 Differences from existing Terraform tools • terraform fmt ◦

    Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)

  10. 10 Use cases • Production readiness check ◦ Cloud SQL

    backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination

  11. 11 Example: Terraform module

  12. 12 Takeaways • OPA & Conftest support not only Kubernetes

    but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support