Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Toshinori Sugita
July 07, 2021
Technology
1
13k
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
Tweet
Share
More Decks by Toshinori Sugita
See All by Toshinori Sugita
組織を巻き込む大規模プラットフォーム移行戦略 〜50+サービスのマルチリージョン・マルチプロダクト化で学んだステークホルダー協働の実践〜 / Platform migration strategy engaging all stakeholders
toshi0607
2
3.5k
文系学部卒ソフトウェアエンジニアが Georgia Techコンピューターサイエンス修士課程で直面したもの / What a Liberal Arts Graduate Software Engineer Faced in Georgia Tech's Computer Science Master's Program
toshi0607
4
1k
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
toshi0607
5
8.4k
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
1
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
1
5.2k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
5
11k
Knativeへの誘い / Go Go Knative!
toshi0607
4
5.8k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
2
6.5k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
toshi0607
10
15k
Other Decks in Technology
See All in Technology
Ruby版 JSXのRuxが気になる
sansantech
PRO
0
120
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
genda
1
460
GSIが複数キー対応したことで、俺達はいったい何が嬉しいのか?
smt7174
3
150
変化するコーディングエージェントとの現実的な付き合い方 〜Cursor安定択説と、ツールに依存しない「資産」〜
empitsu
4
1.3k
広告の効果検証を題材にした因果推論の精度検証について
zozotech
PRO
0
140
ブロックテーマ、WordPress でウェブサイトをつくるということ / 2026.02.07 Gifu WordPress Meetup
torounit
0
140
Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf
riku_423
2
490
20260204_Midosuji_Tech
takuyay0ne
1
130
GitLab Duo Agent Platform × AGENTS.md で実現するSpec-Driven Development / GitLab Duo Agent Platform × AGENTS.md
n11sh1
0
120
OWASP Top 10:2025 リリースと 少しの日本語化にまつわる裏話
okdt
PRO
2
320
GitHub Issue Templates + Coding Agentで簡単みんなでIaC/Easy IaC for Everyone with GitHub Issue Templates + Coding Agent
aeonpeople
1
190
Bill One 開発エンジニア 紹介資料
sansan33
PRO
4
17k
Featured
See All Featured
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
2
410
XXLCSS - How to scale CSS and keep your sanity
sugarenia
249
1.3M
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.1k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
11
820
Designing Experiences People Love
moore
144
24k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
0
1.1k
ラッコキーワード サービス紹介資料
rakko
1
2.2M
Game over? The fight for quality and originality in the time of robots
wayneb77
1
110
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.4k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.2k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
51
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4.2k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
toshi0607
sansantech
genda
smt7174
empitsu
zozotech
torounit
riku_423
takuyay0ne
n11sh1
okdt
aeonpeople
sansan33
tomoyanonymous
sugarenia
charlesmeaden
tammyeverts
moore
aleyda
rakko
wayneb77
marcduiker
auna
kastner
