Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OPA and cloud resources

Avatar for Toshinori Sugita Toshinori Sugita
July 07, 2021
Technology
0
13k

OPA and cloud resources

Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Avatar for Toshinori Sugita

Toshinori Sugita

July 07, 2021
Tweet

More Decks by Toshinori Sugita

See All by Toshinori Sugita
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
Avatar for Toshinori Sugita toshi0607
5
6.3k
KompalWeather: Serverless Sauna Service with Cloud Run
Avatar for Toshinori Sugita toshi0607
0
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
Avatar for Toshinori Sugita toshi0607
0
5k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
Avatar for Toshinori Sugita toshi0607
4
11k
Knativeへの誘い / Go Go Knative!
Avatar for Toshinori Sugita toshi0607
3
5.6k
Build serverless application on top of Kubernetes #sdmel19
Avatar for Toshinori Sugita toshi0607
1
6.3k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
Avatar for Toshinori Sugita toshi0607
9
15k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
Avatar for Toshinori Sugita toshi0607
1
7k
Goで学ぶKnative #mercarigo / learning Knative with Go
Avatar for Toshinori Sugita toshi0607
5
24k

Other Decks in Technology

See All in Technology
Liquid Glass革新とSwiftUI/UIKit進化
Avatar for Fumiya Sakai fumiyasac0921
0
280
急成長を支える基盤作り〜地道な改善からコツコツと〜 #cre_meetup
Avatar for すてにゃん stefafafan
0
150
OpenHands🤲にContributeしてみた
Avatar for kotauchisunsun kotauchisunsun
1
480
asken AI勉強会(Android)
Avatar for 佐藤忠 tadashi_sato
0
110
Wasm元年
Avatar for asuka askua
0
160
解析の定理証明実践@Lean 4
Avatar for H Segawa dec9ue
1
180
無意味な開発生産性の議論から抜け出すための予兆検知とお金とAI
Avatar for Masato Ishigaki / 石垣雅人 i35_267
0
190
あなたの声を届けよう! 女性エンジニア登壇の意義とアウトプット実践ガイド #wttjp / Call for Your Voice
Avatar for kondoyuko kondoyuko
4
490
マーケットプレイス版Oracle WebCenter Content For OCI
Avatar for oracle4engineer oracle4engineer
PRO
3
920
5min GuardDuty Extended Threat Detection EKS
Avatar for takakuni takakuni
0
160
怖くない!はじめてのClaude Code
Avatar for Shinya Masadome(東京AI祭) shinya337
0
240
強化されたAmazon Location Serviceによる新機能と開発者体験
Avatar for Yasunori Kirimoto dayjournal
3
230

Featured

See All Featured
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.1k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
34
5.9k
KATA
Avatar for Megan Lloyd mclloyd
30
14k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
42
7.4k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
90
590k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
351
20k
Making Projects Easy
Avatar for Brett Harned brettharned
116
6.3k
Scaling GitHub
Avatar for Zach Holman holman
459
140k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
223
9.7k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
346
40k
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.3k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
357
30k

Transcript

  1. 1 OPA & cloud resources July 7th 2021, Open Policy

    Agent Rego Knowledge Sharing Meetup @toshi0607

  2. 2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job

    ◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3

  3. 3 OPA in Mercari • Preparing guardrails for Istio at

    scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest

  4. 4 OPA in Mercari for Kubernetes • Capabilities • Host

    namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type

  5. 5 Example: Capabilities

  6. 6 Example: Capabilities

  7. 7 OPA for cloud resources • Domain agnostic and general

    purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2

  8. 8 Differences from use cases for Kubernetes • No gatekeeper

    ◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test

  9. 9 Differences from existing Terraform tools • terraform fmt ◦

    Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)

  10. 10 Use cases • Production readiness check ◦ Cloud SQL

    backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination

  11. 11 Example: Terraform module

  12. 12 Takeaways • OPA & Conftest support not only Kubernetes

    but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support