Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Toshinori Sugita
July 07, 2021
Technology
0
13k
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
Tweet
Share
More Decks by Toshinori Sugita
See All by Toshinori Sugita
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
0
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
0
4.6k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
4
10k
Knativeへの誘い / Go Go Knative!
toshi0607
3
5.2k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
1
5.9k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
toshi0607
9
14k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
toshi0607
1
6.5k
Goで学ぶKnative #mercarigo / learning Knative with Go
toshi0607
5
24k
入門 Knative 〜KubernetesとServerlessとの出会い〜 / getting started with knative
toshi0607
8
9k
Other Decks in Technology
See All in Technology
成長期に歩みを止めないための創業期の開発文化形成
mayah
6
420
開発生産性をむしろ向上させる セキュリティパートナーの作り方 / Dev Productivity Con 2024
flatt_security
0
360
Github Actions 로 Android 팀의 효율성 극대화
hadonghyun
0
160
20240717_イケコパ代表Copilot_in_Teams会社でこう使ってます
ponponmikankan
2
430
【基調講演】変える、今ここから ― IoTとAIで紡ぐ未来
soracom
PRO
0
310
Flutter研修【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
160
ABEMAにおけるLLMを用いたコンテンツベース推薦システム導入と効果検証
cyberagentdevelopers
PRO
1
700
LLMアプリケーションの評価の実践と課題 ~PharmaXにおける今後の展望~
pharma_x_tech
2
160
累計ダウンロード数1億8000万を超えるアプリケーションプラットフォームのレガシーシステム脱却とモダン化への道
kmitsuhashi
0
120
Matterport を使ってクラスメソッド各拠点のバーチャルオフィスツアーを作成してみた
wakatsuki
0
160
What if...? 처음부터 다시 LLM 어플리케이션을 개발한다면
huffon
0
1k
地理情報とAPIのトレンド
nagix
0
160
Featured
See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k
It's Worth the Effort
3n
181
27k
BBQ
matthewcrist
82
9k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
78
15k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
44
4.7k
Gamification - CAS2011
davidbonilla
78
4.9k
KATA
mclloyd
20
13k
WebSockets: Embracing the real-time Web
robhawkes
59
7.2k
Pencils Down: Stop Designing & Start Developing
hursman
118
11k
Automating Front-end Workflow
addyosmani
1362
200k
Rebuilding a faster, lazier Slack
samanthasiow
78
8.5k
Building Applications with DynamoDB
mza
89
5.8k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support