Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OPA and cloud resources

C000f292a92b894afabbb352e8709667?s=47 Toshinori Sugita
July 07, 2021
Technology
0
5.8k

OPA and cloud resources

Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/

C000f292a92b894afabbb352e8709667?s=128

Toshinori Sugita

July 07, 2021
Tweet

More Decks by Toshinori Sugita

See All by Toshinori Sugita
KompalWeather: Serverless Sauna Service with Cloud Run
C000f292a92b894afabbb352e8709667?s=48 toshi0607
0
11k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
C000f292a92b894afabbb352e8709667?s=48 toshi0607
0
3.7k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
C000f292a92b894afabbb352e8709667?s=48 toshi0607
4
9.1k
Knativeへの誘い / Go Go Knative!
C000f292a92b894afabbb352e8709667?s=48 toshi0607
3
4.2k
Build serverless application on top of Kubernetes #sdmel19
C000f292a92b894afabbb352e8709667?s=48 toshi0607
1
4.9k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
C000f292a92b894afabbb352e8709667?s=48 toshi0607
9
12k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
C000f292a92b894afabbb352e8709667?s=48 toshi0607
1
5.3k
Goで学ぶKnative #mercarigo / learning Knative with Go
C000f292a92b894afabbb352e8709667?s=48 toshi0607
5
21k
入門 Knative 〜KubernetesとServerlessとの出会い〜 / getting started with knative
C000f292a92b894afabbb352e8709667?s=48 toshi0607
8
7.7k

Other Decks in Technology

See All in Technology
Micro frontends and micro services
Acc7788c2c6d2c4b43b875fcad502cd2?s=48 kashif98
0
160
やってみたLT会 Fleet Managerのススメ
3282faa17a370dd254382f4bf2c7ba3a?s=48 yukiiiiikuma
PRO
0
420
hey BOOK
69f5ab96892df4d8cbe32189f2ed2d9d?s=48 heyinc
26
290k
Learning to Solve Hard Minimal Problems
2c88806cbaab6024dc95b9a654c99d86?s=48 takmin
1
550
LINSTOR — это как Kubernetes, но для блочных устройств
93aef1d166a8a3536538eff713f80307?s=48 flant
0
4.2k
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
PRO
10
19k
Istioを活用したセキュアなマイクロサービスの実現/Secure Microservices with Istio
00851927294532e0742c2c174730dff0?s=48 ido_kara_deru
3
460
AWS環境のセキュリティどうやってチェックしてる?
A857277d74d4719f7f7751dca5ed553e?s=48 cmusudakeisuke
1
2.2k
エムスリー電子カルテチーム紹介資料
F33a4157978cd59d5417ae69b0265943?s=48 m3_engineering
3
140
データをコネコネ!メール配信用データ生成の仕組み
Cdb7fe48c050935995f8a6a58a5ceba9?s=48 kappezoro
0
130
AWS CLI でやってみる ~ AWS Hands-on for Beginners ECS ハンズオン ~
8785139c395ce2345ce535822b522dde?s=48 kentosuzuki
1
560
テクニカルライティングの検定を受けてみた話 / "My Story About Taking the Technical Writing Exam
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
1
240

Featured

See All Featured
YesSQL, Process and Tooling at Scale
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
157
12k
Designing Dashboards & Data Visualisations in Web Apps
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
223
49k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
100
6k
Stop Working from a Prison Cell
C1daf20e5c49ff910745198ef9869ac2?s=48 hatefulcrawdad
262
17k
A Philosophy of Restraint
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
192
15k
The Illustrated Children's Guide to Kubernetes
0438ae60cde4c7add6f9da48f28c15cc?s=48 chrisshort
18
40k
10 Git Anti Patterns You Should be Aware of
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
638
53k
The Web Native Designer (August 2011)
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
75
2k
Why You Should Never Use an ORM
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
47
7.7k
What's in a price? How to price your products and services
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
229
9.4k
Music & Morning Musume
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
35
4.3k
Docker and Python
Ecdea9b9714877b86cee08458f085481?s=48 trallard
27
1.6k

Transcript

  1. 1 OPA & cloud resources July 7th 2021, Open Policy

    Agent Rego Knowledge Sharing Meetup @toshi0607

  2. 2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job

    ◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3

  3. 3 OPA in Mercari • Preparing guardrails for Istio at

    scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest

  4. 4 OPA in Mercari for Kubernetes • Capabilities • Host

    namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type

  5. 5 Example: Capabilities

  6. 6 Example: Capabilities

  7. 7 OPA for cloud resources • Domain agnostic and general

    purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2

  8. 8 Differences from use cases for Kubernetes • No gatekeeper

    ◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test

  9. 9 Differences from existing Terraform tools • terraform fmt ◦

    Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)

  10. 10 Use cases • Production readiness check ◦ Cloud SQL

    backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination

  11. 11 Example: Terraform module

  12. 12 Takeaways • OPA & Conftest support not only Kubernetes

    but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support