Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Toshinori Sugita
July 07, 2021
Technology
14k
1
Share
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
More Decks by Toshinori Sugita
See All by Toshinori Sugita
GKEを中心としたマルチプロダクト・マルチリージョン対応アプリケーションプラットフォームの継続的改善 / continuous improvement of GKE based application platform
toshi0607
1
160
組織を巻き込む大規模プラットフォーム移行戦略 〜50+サービスのマルチリージョン・マルチプロダクト化で学んだステークホルダー協働の実践〜 / Platform migration strategy engaging all stakeholders
toshi0607
2
5.9k
文系学部卒ソフトウェアエンジニアが Georgia Techコンピューターサイエンス修士課程で直面したもの / What a Liberal Arts Graduate Software Engineer Faced in Georgia Tech's Computer Science Master's Program
toshi0607
4
1.6k
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
toshi0607
5
9.1k
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
1
13k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
1
5.3k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
5
11k
Knativeへの誘い / Go Go Knative!
toshi0607
4
5.9k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
2
6.6k
Other Decks in Technology
See All in Technology
社内エンジニア勉強会の醍醐味と苦しみ/tamadev
nishiuma
0
240
「誰一人取り残されない」 AIエージェント時代のプロダクト設計思想 Product Management Summit 2026
mizushimac
1
1.6k
AIはハッカーを減らすのか、増やすのか?──現役ホワイトハッカーから見るAI時代のリアル【MEGU-Meet】
cscengineer
PRO
0
200
実践ハーネスエンジニアリング:TAKTで実現するAIエージェント制御 / Practical Harness Engineering: AI Agent Control Enabled by TAKT
nrslib
12
4.8k
AI時代のガードレールとしてのAPIガバナンス
nagix
0
310
AgentCore Managed Harness を使ってみよう
yakumo
2
230
Practical TypeProf: Lessons from Analyzing Optcarrot
mame
0
1k
Oracle AI Database@AWS:サービス概要のご紹介
oracle4engineer
PRO
4
2.4k
Do Vibe Coding ao LLM em Produção para Busca Agêntica - TDC 2026 - Summit IA - São Paulo
jpbonson
3
150
Rapid Start: Faster Internet Connections, with Ruby's Help
kazuho
2
770
レビューしきれない?それは「全て人力でのレビュー」だからではないでしょうか
amixedcolor
0
350
Anthropic「Long-running a gents」をGeminiで再現してみた
tkikuchi
0
190
Featured
See All Featured
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
25
1.9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.4k
Paper Plane
katiecoart
PRO
1
49k
What the history of the web can teach us about the future of AI
inesmontani
PRO
1
530
Scaling GitHub
holman
464
140k
How to Think Like a Performance Engineer
csswizardry
28
2.6k
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.2k
Primal Persuasion: How to Engage the Brain for Learning That Lasts
tmiket
0
320
Organizational Design Perspectives: An Ontology of Organizational Design Elements
kimpetersen
PRO
1
680
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
9.9k
Mobile First: as difficult as doing things right
swwweet
225
10k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
toshi0607
nishiuma
mizushimac
cscengineer
nrslib
nagix
yakumo
mame
oracle4engineer
jpbonson
kazuho
amixedcolor
tkikuchi
honnibal
tammyeverts
katiecoart
inesmontani
holman
csswizardry
aleyda
tmiket
kimpetersen
mongodb
swwweet
afnizarnur
