Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OPA and cloud resources

Avatar for Toshinori Sugita Toshinori Sugita
July 07, 2021
Technology
0
13k

OPA and cloud resources

Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Avatar for Toshinori Sugita

Toshinori Sugita

July 07, 2021
Tweet

More Decks by Toshinori Sugita

See All by Toshinori Sugita
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
Avatar for Toshinori Sugita toshi0607
5
6.4k
KompalWeather: Serverless Sauna Service with Cloud Run
Avatar for Toshinori Sugita toshi0607
0
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
Avatar for Toshinori Sugita toshi0607
0
5k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
Avatar for Toshinori Sugita toshi0607
4
11k
Knativeへの誘い / Go Go Knative!
Avatar for Toshinori Sugita toshi0607
3
5.6k
Build serverless application on top of Kubernetes #sdmel19
Avatar for Toshinori Sugita toshi0607
1
6.3k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
Avatar for Toshinori Sugita toshi0607
9
15k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
Avatar for Toshinori Sugita toshi0607
1
7k
Goで学ぶKnative #mercarigo / learning Knative with Go
Avatar for Toshinori Sugita toshi0607
5
24k

Other Decks in Technology

See All in Technology
[SRE NEXT] ARR150億円_エンジニア140名_27チーム_17プロダクトから始めるSLO.pdf
Avatar for sato-s satos
5
3k
ClaudeCode_vs_GeminiCLI_Terraformで比較してみた
Avatar for t-kikuchi tkikuchi
1
1k
20250708オープンエンドな探索と知識発見
Avatar for Sakana AI sakana_ai
PRO
4
1k
Deep Security Conference 2025:生成AI時代のセキュリティ監視 /dsc2025-genai-secmon
Avatar for Masayoshi Mizutani mizutani
4
2.9k
Figma Dev Mode MCP Serverを用いたUI開発
Avatar for zoothezoo zoothezoo
0
230
「Chatwork」のEKS環境を支えるhelmfileを使用したマニフェスト管理術
Avatar for hanayo04 hanayo04
1
400
Delegating the chores of authenticating users to Keycloak
Avatar for Alexander Schwartz ahus1
0
190
セキュアな社内Dify運用と外部連携の両立 ~AIによるAPIリスク評価~
Avatar for ZOZO Developers zozotech
PRO
0
120
60以上のプロダクトを持つ組織における開発者体験向上への取り組み - チームAPIとBackstageで構築する組織の可視化基盤 - / sre next 2025 Efforts to Improve Developer Experience in an Organization with Over 60 Products
Avatar for VTRyo vtryo
3
1.9k
SREの次のキャリアの道しるべ 〜SREがマネジメントレイヤーに挑戦して、 気づいたこととTips〜
Avatar for coconala_engineer coconala_engineer
1
4.3k
shake-upを科学する
Avatar for Jack rsakata
7
1k
united airlines ™®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for yasam flyunitedhelp
1
470

Featured

See All Featured
Navigating Team Friction
Avatar for Lara Hogan lara
187
15k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
29
5.4k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
251
21k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
71
11k
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
54
13k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
220k
Visualization
Avatar for Eitan Lees eitanlees
146
16k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
90
590k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
10
700
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
299
21k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
34
3.1k
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.4k

Transcript

  1. 1 OPA & cloud resources July 7th 2021, Open Policy

    Agent Rego Knowledge Sharing Meetup @toshi0607

  2. 2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job

    ◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3

  3. 3 OPA in Mercari • Preparing guardrails for Istio at

    scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest

  4. 4 OPA in Mercari for Kubernetes • Capabilities • Host

    namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type

  5. 5 Example: Capabilities

  6. 6 Example: Capabilities

  7. 7 OPA for cloud resources • Domain agnostic and general

    purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2

  8. 8 Differences from use cases for Kubernetes • No gatekeeper

    ◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test

  9. 9 Differences from existing Terraform tools • terraform fmt ◦

    Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)

  10. 10 Use cases • Production readiness check ◦ Cloud SQL

    backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination

  11. 11 Example: Terraform module

  12. 12 Takeaways • OPA & Conftest support not only Kubernetes

    but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support