Slide 1
Slide 1 text
5FSSBGPSNY01"$POGUFTUͷ
UJQT
Open Policy Agent Rego
Knowledge Sharing Meetup #2021.07
Ryo Kubota @ryok6t
Slide 2
Slide 2 text
• Ryo Kubota (@ryok6t)
• FiNC Technologies
• SRE Team manager
ࣗݾհ
Slide 3
Slide 3 text
લఏ
• ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ
• ֤αʔϏεͷΠϯϑϥҎԼͰίʔυཧ
• Kubernetes ͷ manifest
• Terraform
• ֤։ൃνʔϜ͕ࣗͰ͜ΕΒͷίʔυΛॻ͍͍ͯΔ
• ࣭ͷ୲อͷͨΊʹ Conftest Λར༻
Slide 4
Slide 4 text
Ҏલͷൃද
• https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru
Slide 5
Slide 5 text
ຊͷ༰
• ʢಛʹʣTerraform Ͱ OPA Λ͏߹ͷͪΐͬͱͨ͠ίπ
• ͕ࣗ OPA Λಋೖ͢ΔલʹΓ͔ͨͬͨ͜ͱͷ·ͱΊ
Slide 6
Slide 6 text
·ͣQMBOΛ+40/ʹ
• plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β
• terraform plan -out plan.tfplan
• terraform show -json plan.tfplan | conftest test -
Slide 7
Slide 7 text
5FSSBGPSNQMBOͷ+40/
ϦιʔεͱͦΕʹର͢ΔมߋҰཡ
Ճ͑Δૢ࡞ʢDSFBUF
VQEBUFͳͲʣ
Ϧιʔεͷใ
มߋલมߋޙͷঢ়ଶ
Slide 8
Slide 8 text
ϙϦγʔΛॻ͘
WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ
• ʮresource type ͕ security group Ͱɺport ͕
ϑϧΦʔϓϯͳͷ͕1ݸͰ͋Ε violationʯ
Slide 9
Slide 9 text
ڞ௨ͷॲཧΛ·ͱΊΔ
• ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍
• e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ
• ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ
• ຖճॻ͘ͷ໘
Slide 10
Slide 10 text
GVODUJPOΛͬͨڞ௨ॲཧ
ड͚औͬͨUZQFʹ
ͯ·Δͷ͚ͩΛฦ͢
Slide 11
Slide 11 text
ڞ௨ॲཧΛผͷϑΝΠϧʹΓग़͢
• ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘
Slide 12
Slide 12 text
ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢
ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU
CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ
Slide 13
Slide 13 text
ྫ֎έʔεΛѻ͏
• There is no rule without exceptions
• ಛఆͷϦιʔε͚ͩϧʔϧͷର֎ʹ͍ͨ͠έʔε͕ଘࡏ
Slide 14
Slide 14 text
lFYDFQUJPOzΛͬͯྫ֎ʹରԠ
• ྫ֎ͷϩδοΫʹͯ·ͬͨ߹ɺrules Ͱࢦఆͨ͠
ͷແࢹ͞ΕΔ
• ҎԼͰ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ
Slide 15
Slide 15 text
ςετΛॻ͘
• Rego ͷจ๏ʹΫη͕͋ΔͨΊɺςετ͕ॏཁ
• Conftest ࣗମͰ؆୯ʹςετ͕Մೳ
Slide 16
Slide 16 text
ςετͷํ๏
• foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ
• conftest verify Λ࣮ߦ
Slide 17
Slide 17 text
ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ
ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ
WJPMBUJPOʹͳΔ͜ͱΛςετ
Slide 18
Slide 18 text
ςετίʔυͷߏ
QMBOͷ+40/ͱಉ͡ߏͰ
ςετσʔλΛੜ
XJUIBTΛͬͯ
ςετσʔλΛ༩͑Δ
Slide 19
Slide 19 text
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε
Slide 20
Slide 20 text
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε
• not Λ͚ͭΔ͚ͩ
Slide 21
Slide 21 text
ςετσʔλʹ͍ͭͯ
• ެࣜυΩϡϝϯτͰɺςετίʔυʹ JSON Λ
ॻ͍͍ͯΔ
• Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/
Slide 22
Slide 22 text
ςετσʔλʹ͍ͭͯ
• ͔͠͠ JSON Λॻ͘ͱਏ͍έʔε͕ଟ͍
• ݱࡏ yaml Ͱॻ͍ͯ yaml.unmarshal ͍ͯ͠Δ
Slide 23
Slide 23 text
࠷ޙʹσόοάʹ͍ͭͯ
• policy ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ
• ҙͷՕॴʹ trace(string) ΛࠐΉ͜ͱͰσόοάग़ྗ
͕Մೳ
• `—trace` Φϓγϣϯ͖Ͱ Conftest Λ࣮ߦ