Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Toshinori Sugita
July 07, 2021
Technology
0
13k
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
Tweet
Share
More Decks by Toshinori Sugita
See All by Toshinori Sugita
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
toshi0607
5
610
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
0
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
0
4.8k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
4
11k
Knativeへの誘い / Go Go Knative!
toshi0607
3
5.3k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
1
6k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
toshi0607
9
14k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
toshi0607
1
6.7k
Goで学ぶKnative #mercarigo / learning Knative with Go
toshi0607
5
24k
Other Decks in Technology
See All in Technology
サービスの拡大に伴うオペレーション課題に立ち向かう / 20241128_cloudsign_pdm
bengo4com
0
760
LINEヤフーにおける超大規模プラットフォーム実現への挑戦と学び / Challenges and Lessons in Building an Ultra-Large-Scale Platform at LY Corporation
hhiroshell
1
840
エンジニアの草の根活動のその先へ LINEギフトのアクセシビリティにおける ネクストアクション
lycorptech_jp
PRO
0
100
総会員数1,500万人のレストランWeb予約サービスにおけるRustの活用
kymmt90
3
2.6k
ご挨拶
iotcomjpadmin
0
180
間違いだらけのポストモーテム - ホントに役立つレビューはこうだ!
jacopen
5
810
共創するアーキテクチャ ~チーム全体で築く持続可能な開発エコシステム~ / Co-Creating Architecture - A Sustainable Development Ecosystem Built by the Entire Team
bitkey
PRO
1
3.8k
歴史あるRuby on Railsでデッドコードを見つけ、 消す方法@yabaibuki.dev #3
ayumu838
0
1.7k
Nutanixにいらっしゃいませ。Moveと仮想マシン移行のポイント紹介
shadowhat
0
200
GeminiとUnityで実現するインタラクティブアート
hokkey621
0
270
B11-SharePoint サイトのストレージ管理を考えよう
maekawa123
0
110
GAS × Discord bot × Gemini で作ったさいきょーの情報収集ツール
ysknsid25
1
350
Featured
See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
400
Writing Fast Ruby
sferik
627
61k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
The World Runs on Bad Software
bkeepers
PRO
65
11k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
4 Signs Your Business is Dying
shpigford
181
21k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
247
1.3M
Gamification - CAS2011
davidbonilla
80
5k
The Invisible Side of Design
smashingmag
298
50k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
toshi0607
bengo4com
hhiroshell
lycorptech_jp
kymmt90
iotcomjpadmin
jacopen
bitkey
ayumu838
shadowhat
hokkey621
maekawa123
ysknsid25
irinanazarova
sferik
jnunemaker
bkeepers
eileencodes
shpigford
sugarenia
davidbonilla
smashingmag
csswizardry
rocio
