Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OPA and cloud resources

Avatar for Toshinori Sugita Toshinori Sugita
July 07, 2021
Technology
1
13k

OPA and cloud resources

Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/

Avatar for Toshinori Sugita

Toshinori Sugita

July 07, 2021
Tweet

More Decks by Toshinori Sugita

See All by Toshinori Sugita
組織を巻き込む大規模プラットフォーム移行戦略 〜50+サービスのマルチリージョン・マルチプロダクト化で学んだステークホルダー協働の実践〜 / Platform migration strategy engaging all stakeholders
Avatar for Toshinori Sugita toshi0607
2
2.7k
文系学部卒ソフトウェアエンジニアが Georgia Techコンピューターサイエンス修士課程で直面したもの / What a Liberal Arts Graduate Software Engineer Faced in Georgia Tech's Computer Science Master's Program
Avatar for Toshinori Sugita toshi0607
4
790
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
Avatar for Toshinori Sugita toshi0607
5
8.1k
KompalWeather: Serverless Sauna Service with Cloud Run
Avatar for Toshinori Sugita toshi0607
1
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
Avatar for Toshinori Sugita toshi0607
1
5.2k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
Avatar for Toshinori Sugita toshi0607
5
11k
Knativeへの誘い / Go Go Knative!
Avatar for Toshinori Sugita toshi0607
4
5.8k
Build serverless application on top of Kubernetes #sdmel19
Avatar for Toshinori Sugita toshi0607
2
6.5k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
Avatar for Toshinori Sugita toshi0607
10
15k

Other Decks in Technology

See All in Technology
歴史から学ぶ、Goのメモリ管理基礎
Avatar for Takuto Nagami logica0419
14
2.7k
Contract One Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
12k
フルカイテン株式会社 エンジニア向け採用資料
Avatar for FULL KAITEN fullkaiten
0
10k
わが10年の叡智をぶつけたカオスなクラウドインフラが、なくなるということ。
Avatar for Hisashi SOGA sogaoh
PRO
1
520
自己管理型チームと個人のセルフマネジメント 〜モチベーション編〜
Avatar for KAKEHASHI kakehashi
PRO
5
2.8k
純粋なイミュータブルモデルを設計してからイベントソーシングと組み合わせるDeciderの実践方法の紹介 /Introducing Decider Pattern with Event Sourcing
Avatar for Tomohisa Takaoka tomohisa
1
990
あの夜、私たちは「人間」に戻った。 ── 災害ユートピア、贈与、そしてアジャイルの再構築 / 20260108 Hiromitsu Akiba
Avatar for SHIFT EVOLVE shift_evolve
PRO
0
620
戰略轉變:從建構 AI 代理人到發展可擴展的技能生態系統
Avatar for Bo-Yi Wu appleboy
0
190
複雑さを受け入れるか、拒むか? - 事業成長とともに育ったモノリスを前に私が考えたこと #RSGT2026
Avatar for bayashi murabayashi
1
1.8k
Oracle Database@Google Cloud:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
1
910
サラリーマンソフトウェアエンジニアのキャリア
Avatar for YuheiNakasaka yuheinakasaka
38
18k
Oracle Database@Azure:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
3
350

Featured

See All Featured
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
187
22k
A Soul's Torment
Avatar for Nat Ma seathinner
4
2.1k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
85
9.3k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
359
30k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.6k
Tell your own story through comics
Avatar for letsgokoyo letsgokoyo
1
780
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
Avatar for Ines Montani inesmontani
PRO
3
2.8k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.6k
How Fast Is Fast Enough? [PerfNow 2025]
Avatar for Tammy Everts tammyeverts
3
420
Unlocking the hidden potential of vector embeddings in international SEO
Avatar for Frank van Dijk frankvandijk
0
140
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M

Transcript

  1. 1 OPA & cloud resources July 7th 2021, Open Policy

    Agent Rego Knowledge Sharing Meetup @toshi0607

  2. 2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job

    ◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3

  3. 3 OPA in Mercari • Preparing guardrails for Istio at

    scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest

  4. 4 OPA in Mercari for Kubernetes • Capabilities • Host

    namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type

  5. 5 Example: Capabilities

  6. 6 Example: Capabilities

  7. 7 OPA for cloud resources • Domain agnostic and general

    purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2

  8. 8 Differences from use cases for Kubernetes • No gatekeeper

    ◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test

  9. 9 Differences from existing Terraform tools • terraform fmt ◦

    Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)

  10. 10 Use cases • Production readiness check ◦ Cloud SQL

    backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination

  11. 11 Example: Terraform module

  12. 12 Takeaways • OPA & Conftest support not only Kubernetes

    but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support