Slide 1
Slide 1 text
1
OPA & cloud resources
July 7th 2021, Open Policy Agent Rego Knowledge
Sharing Meetup
@toshi0607
Slide 2
Slide 2 text
2
Self introduction
● Toshinori Sugita
○ @toshi0607
● Job
○ 2018 Merpay
■ microservice development
○ 2020 Mercari
■ microservice platform (platform infra)
● Books
○ 『GCPで学ぶTerraform 基礎編/実践編』
○ Knative本 × 3
Slide 3
Slide 3 text
3
OPA in Mercari
● Preparing guardrails for Istio at scale
● Enhance Kubernetes Security with Gatekeeper
● Open Policy AgentとSpinnakerで実現するマイクロサービ
スの安全な継続的デリバリー
● Introduce Conftest
Slide 4
Slide 4 text
4
OPA in Mercari for Kubernetes
● Capabilities
● Host namespaces
● Host network
● Host path
● Privileged container
● Wildcard torelations
● Dedicated node pool
access
● Liveness/Readiness prove
● Memory request/limit
● Pre stop
● PDB
● HPA
● VPA
● Datadog Metric
● Istio config
● DNS config
● External IP
● Service type
Slide 5
Slide 5 text
5
Example: Capabilities
Slide 6
Slide 6 text
6
Example: Capabilities
Slide 7
Slide 7 text
7
OPA for cloud resources
● Domain agnostic and general purpose policy engine
● terraform plan and configuration can be converted
to JSON
● Conftest supports JSON and HCL/HCL2
Slide 8
Slide 8 text
8
Differences from use cases for Kubernetes
● No gatekeeper
○ Terraform -> GCP API
● Conftest
○ conftest verify
○ conftest test
Slide 9
Slide 9 text
9
Differences from existing Terraform tools
● terraform fmt
○ Terraform style convention
● terraform validate
○ Terraform syntax
● terraform-linters/tflint
○ GCP API compatibility
● terraform variable (v0.13~)
○ General context for input via variable
● OPA
○ General context (reliability, security, company
convention, etc.)
Slide 10
Slide 10 text
10
Use cases
● Production readiness check
○ Cloud SQL backup, auto resize, maintenance
window
○ Cloud Storage multi-regional, versioning
● Terraform module guard rail
○ Allow list
○ Service company, country, environment
○ Module version
○ Unintended combination
Slide 11
Slide 11 text
11
Example: Terraform module
Slide 12
Slide 12 text
12
Takeaways
● OPA & Conftest support not only Kubernetes but also
a cloud resource (Terraform) use case
● OPA & Conftest covers fine-grained use cases that
existing tools don’t support