Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Toshinori Sugita
July 07, 2021
Technology
1
13k
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
Tweet
Share
More Decks by Toshinori Sugita
See All by Toshinori Sugita
組織を巻き込む大規模プラットフォーム移行戦略 〜50+サービスのマルチリージョン・マルチプロダクト化で学んだステークホルダー協働の実践〜 / Platform migration strategy engaging all stakeholders
toshi0607
2
3.4k
文系学部卒ソフトウェアエンジニアが Georgia Techコンピューターサイエンス修士課程で直面したもの / What a Liberal Arts Graduate Software Engineer Faced in Georgia Tech's Computer Science Master's Program
toshi0607
4
990
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
toshi0607
5
8.4k
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
1
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
1
5.2k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
5
11k
Knativeへの誘い / Go Go Knative!
toshi0607
4
5.8k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
2
6.5k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
toshi0607
10
15k
Other Decks in Technology
See All in Technology
GitHub Issue Templates + Coding Agentで簡単みんなでIaC/Easy IaC for Everyone with GitHub Issue Templates + Coding Agent
aeonpeople
1
180
We Built for Predictability; The Workloads Didn’t Care
stahnma
0
130
Introduction to Bill One Development Engineer
sansan33
PRO
0
360
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
torounit
0
450
顧客との商談議事録をみんなで読んで顧客解像度を上げよう
shibayu36
0
160
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
genda
1
270
顧客の言葉を、そのまま信じない勇気
yamatai1212
1
340
Mosaic AI Gatewayでコーディングエージェントを配るための運用Tips / JEDAI 2026 新春 Meetup! AIコーディング特集
genda
0
150
AzureでのIaC - Bicep? Terraform? それ早く言ってよ会議
torumakabe
1
350
Digitization部 紹介資料
sansan33
PRO
1
6.8k
Bill One 開発エンジニア 紹介資料
sansan33
PRO
4
17k
~Everything as Codeを諦めない~ 後からCDK
mu7889yoon
3
270
Featured
See All Featured
Introduction to Domain-Driven Design and Collaborative software design
baasie
1
580
What Being in a Rock Band Can Teach Us About Real World SEO
427marketing
0
170
30 Presentation Tips
portentint
PRO
1
210
Speed Design
sergeychernyshev
33
1.5k
Designing Powerful Visuals for Engaging Learning
tmiket
0
220
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
63
How Software Deployment tools have changed in the past 20 years
geshan
0
32k
Git: the NoSQL Database
bkeepers
PRO
432
66k
Designing for humans not robots
tammielis
254
26k
Unsuck your backbone
ammeep
671
58k
How to build a perfect <img>
jonoalderson
1
4.9k
How to make the Groovebox
asonas
2
1.9k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
SiteGround - Reliable hosting with speed, security, and support you can count on.
toshi0607
aeonpeople
stahnma
sansan33
torounit
shibayu36
genda
yamatai1212
torumakabe
mu7889yoon
baasie
427marketing
portentint
sergeychernyshev
tmiket
techseoconnect
geshan
bkeepers
tammielis
ammeep
jonoalderson
asonas
