Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Toshinori Sugita
July 07, 2021
Technology
14k
1
Share
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
More Decks by Toshinori Sugita
See All by Toshinori Sugita
GKEを中心としたマルチプロダクト・マルチリージョン対応アプリケーションプラットフォームの継続的改善 / continuous improvement of GKE based application platform
toshi0607
1
160
組織を巻き込む大規模プラットフォーム移行戦略 〜50+サービスのマルチリージョン・マルチプロダクト化で学んだステークホルダー協働の実践〜 / Platform migration strategy engaging all stakeholders
toshi0607
2
5.8k
文系学部卒ソフトウェアエンジニアが Georgia Techコンピューターサイエンス修士課程で直面したもの / What a Liberal Arts Graduate Software Engineer Faced in Georgia Tech's Computer Science Master's Program
toshi0607
4
1.6k
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
toshi0607
5
9.1k
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
1
13k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
1
5.3k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
5
11k
Knativeへの誘い / Go Go Knative!
toshi0607
4
5.9k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
2
6.6k
Other Decks in Technology
See All in Technology
M5Stack CoreS3とZephyr(RTOS)で Edge AIっぽいことしてみた
iotengineer22
0
270
AndroidアプリとCopilot Studioの統合
nakasho
0
110
Do Ruby::Box dream of Modular Monolith?
joker1007
1
350
マルチエージェント × ハーネスエンジニアリング × GitLab Duo Agent Platformで実現する「AIエージェントに仕事をさせる時代へ。」 / 20260421 GitLab Duo Agent Platform
n11sh1
0
170
AWS DevOps Agentはチームメイトになれるのか?/ Can AWS DevOps Agent become a teammate
kinunori
6
750
EBS暗号化に失敗してEC2が動かなくなった話
hamaguchimmm
2
210
20260428_Product Management Summit_Loglass_JoeHirose
loglassjoe
2
2.6k
バイブコーディングで3倍早く⚪⚪を作ってみた
samakada
0
110
目的ファーストのハーネス設計 ~ハーネスの変更容易性を高めるための優先順位~
gotalab555
8
2.2k
ハーネスエンジニアリングをやりすぎた話 ~そのハーネスは解体された~
gotalab555
4
1.8k
自分のハンドルは自分で握れ! ― 自分のケイパビリティを増やし、メンバーのケイパビリティ獲得を支援する ― / Take the wheel yourself
takaking22
1
940
はじめての MagicPod生成AI機能 機能紹介から活用方法まで
magicpod
0
110
Featured
See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
199
73k
Product Roadmaps are Hard
iamctodd
PRO
55
12k
How to make the Groovebox
asonas
2
2.1k
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
250
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
69
39k
Git: the NoSQL Database
bkeepers
PRO
432
67k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Chasing Engaging Ingredients in Design
codingconduct
0
170
Public Speaking Without Barfing On Your Shoes - THAT 2023
reverentgeek
1
380
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
260
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
100
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
toshi0607
iotengineer22
nakasho
joker1007
n11sh1
kinunori
hamaguchimmm
loglassjoe
samakada
gotalab555
takaking22
magicpod
soudai
iamctodd
asonas
techseoconnect
akihiro_kokubo
bkeepers
pedronauck
codingconduct
reverentgeek
wjessup
tamaranovitovic
marketingsoph
