Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Toshinori Sugita
July 07, 2021
Technology
14k
1
Share
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
More Decks by Toshinori Sugita
See All by Toshinori Sugita
GKEを中心としたマルチプロダクト・マルチリージョン対応アプリケーションプラットフォームの継続的改善 / continuous improvement of GKE based application platform
toshi0607
1
170
組織を巻き込む大規模プラットフォーム移行戦略 〜50+サービスのマルチリージョン・マルチプロダクト化で学んだステークホルダー協働の実践〜 / Platform migration strategy engaging all stakeholders
toshi0607
2
7k
文系学部卒ソフトウェアエンジニアが Georgia Techコンピューターサイエンス修士課程で直面したもの / What a Liberal Arts Graduate Software Engineer Faced in Georgia Tech's Computer Science Master's Program
toshi0607
4
1.9k
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
toshi0607
5
9.4k
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
1
13k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
1
5.3k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
5
11k
Knativeへの誘い / Go Go Knative!
toshi0607
4
5.9k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
2
6.7k
Other Decks in Technology
See All in Technology
個人最適 から 全体最適 へ AI情報共有会・AIギルド・AI-DLC で進める カンリーの組織展開
rfdnxbro
0
1.1k
運用を見据えたAIエージェント設計実践
amacbee
1
2.4k
OpenID Connectによるサービス間連携
takesection
0
160
さきさん文庫の書籍ができるまで
sakiengineer
0
340
AI Engineering Summit Tokyo 2026 AIの前に、やることがある 〜医療データ企業の4フェーズ〜
dtaniwaki
0
1.4k
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
50k
コードレビューを制するチームがソフトウェアデリバリーのフローを制す / Beyond Code Review: Distributing Its Responsibilities Across the SDLC
mtx2s
3
930
イベントストーミングとKiroの仕様駆動開発で実現する要件の認識合わせプロセス
syobochim
7
1.1k
プラットフォームエンジニア ワークショップ/ platform-workshop
databricksjapan
0
230
脅威をエンジニアリングの糧にして:恐怖を乗り越えた先にあったもの / Turn threats into fuel for engineering: what lay beyond overcoming fear
nrslib
1
380
noUncheckedIndexedAccess、3時間、1万円。 / noUncheckedIndexedAccess, 3 Hours, 10,000 JPY.
kaonavi
1
190
[モダンアプリ勉強会]今更聞けないGit/GitHub入門
tsukuboshi
0
200
Featured
See All Featured
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.3k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
32
2.9k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
How to Think Like a Performance Engineer
csswizardry
28
2.6k
Deep Space Network (abreviated)
tonyrice
0
160
Test your architecture with Archunit
thirion
1
2.3k
Building a Modern Day E-commerce SEO Strategy
aleyda
45
9.1k
Designing for Timeless Needs
cassininazir
1
250
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
greggifford
PRO
0
190
So, you think you're a good person
axbom
PRO
2
2k
Accessibility Awareness
sabderemane
1
130
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
SiteGround - Reliable hosting with speed, security, and support you can count on.
toshi0607
rfdnxbro
amacbee
takesection
sakiengineer
dtaniwaki
safie_recruit
mtx2s
syobochim
databricksjapan
nrslib
kaonavi
tsukuboshi
ivargrimstad
bluesmoon
eileencodes
csswizardry
tonyrice
thirion
aleyda
cassininazir
denniskardys
greggifford
axbom
sabderemane
