Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Toshinori Sugita
July 07, 2021
Technology
0
13k
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
Tweet
Share
More Decks by Toshinori Sugita
See All by Toshinori Sugita
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
toshi0607
5
3.4k
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
0
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
0
4.9k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
4
11k
Knativeへの誘い / Go Go Knative!
toshi0607
3
5.5k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
1
6.1k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
toshi0607
9
15k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
toshi0607
1
6.9k
Goで学ぶKnative #mercarigo / learning Knative with Go
toshi0607
5
24k
Other Decks in Technology
See All in Technology
2/18/25: Java meets AI: Build LLM-Powered Apps with LangChain4j
edeandrea
PRO
0
110
データ資産をシームレスに伝達するためのイベント駆動型アーキテクチャ
kakehashi
PRO
2
530
Larkご案内資料
customercloud
PRO
0
650
2024.02.19 W&B AIエージェントLT会 / AIエージェントが業務を代行するための計画と実行 / Algomatic 宮脇
smiyawaki0820
13
3.3k
The Future of SEO: The Impact of AI on Search
badams
0
190
ハッキングの世界に迫る~攻撃者の思考で考えるセキュリティ~
nomizone
13
5.2k
バックエンドエンジニアのためのフロントエンド入門 #devsumiC
panda_program
18
7.5k
Developer Summit 2025 [14-D-1] Yuki Hattori
yuhattor
19
6.2k
Oracle Cloud Infrastructure:2025年2月度サービス・アップデート
oracle4engineer
PRO
1
210
Cloud Spanner 導入で実現した快適な開発と運用について
colopl
1
600
インフラをつくるとはどういうことなのか、 あるいはPlatform Engineeringについて
nwiizo
5
2.6k
利用終了したドメイン名の最強終活〜観測環境を育てて、分析・供養している件〜 / The Ultimate End-of-Life Preparation for Discontinued Domain Names
nttcom
2
190
Featured
See All Featured
Art, The Web, and Tiny UX
lynnandtonic
298
20k
KATA
mclloyd
29
14k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
27
1.6k
Music & Morning Musume
bryan
46
6.3k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
133
33k
VelocityConf: Rendering Performance Case Studies
addyosmani
328
24k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
4
330
Scaling GitHub
holman
459
140k
How GitHub (no longer) Works
holman
314
140k
Six Lessons from altMBA
skipperchong
27
3.6k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.5k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
toshi0607
edeandrea
kakehashi
.png){kind=avatar}
customercloud
smiyawaki0820
badams
nomizone
panda_program
yuhattor
oracle4engineer
colopl
nwiizo
nttcom
lynnandtonic
mclloyd
bluesmoon
bryan
eileencodes
addyosmani
holman
skipperchong
geoffreycrofte
