Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OPA and cloud resources

Toshinori Sugita
July 07, 2021
Technology
0
11k

OPA and cloud resources

Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/

Toshinori Sugita

July 07, 2021
Tweet

More Decks by Toshinori Sugita

See All by Toshinori Sugita
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
0
11k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
0
4.1k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
4
9.6k
Knativeへの誘い / Go Go Knative!
toshi0607
3
4.6k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
1
5.3k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
toshi0607
9
13k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
toshi0607
1
5.8k
Goで学ぶKnative #mercarigo / learning Knative with Go
toshi0607
5
22k
入門 Knative 〜KubernetesとServerlessとの出会い〜 / getting started with knative
toshi0607
8
8.2k

Other Decks in Technology

See All in Technology
AI完全初心者でも最新の生成AIの仕組がわかった気になれるプレゼン
shimap_sampo
5
1.6k
Security-JAWS#29 AWS Summit Tokyo 2023 オンデマンド配信を楽しむためのセキュリティ関連トピックご紹介
kthrtty
1
230
2023.06.01_LangChain/Llamaindex/Whisperを使ったアプリケーション開発のまとめと展望
pharma_x_tech
0
520
Антихрупкость в IT или как полюбить изменения
alexanderbyndyu
0
360
Semantic KernelでGPTと外部ツールを連携する
takashi1029
1
1.1k
プロデュ―サーさん、今日も安全運転でよろしくね☆~OBD2を用いた速度・回転数検知ツールの開発~
hato3isfriend
0
130
CyberAgent AI事業本部MLOps研修基礎編
hosimesi11
3
470
ChatGPTを活用した 便利ツールの紹介
hankehly
0
420
Head toward Java 20 and Java 21
line_developers
PRO
0
160
Predictive back transition Animation on Android 14
line_developers
PRO
1
280
MySQL and Vitess (and Kubernetes) at HubSpot
jfg956
0
150
時系列データをChatGPTで読み解いてみる【IoT-Tech Meetup】
soracom
PRO
0
700

Featured

See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.3k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
How to name files
jennybc
51
79k
Learning to Love Humans: Emotional Interface Design
aarron
264
38k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
214
12k
For a Future-Friendly Web
brad_frost
166
8k
Optimizing for Happiness
mojombo
366
66k
GraphQLとの向き合い方2022年版
quramy
23
11k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
110
17k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
1.4k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k

Transcript

  1. 1
    OPA & cloud resources
    July 7th 2021, Open Policy Agent Rego Knowledge
    Sharing Meetup
    @toshi0607

    View Slide

  2. 2
    Self introduction
    ● Toshinori Sugita
    ○ @toshi0607
    ● Job
    ○ 2018 Merpay
    ■ microservice development
    ○ 2020 Mercari
    ■ microservice platform (platform infra)
    ● Books
    ○ 『GCPで学ぶTerraform 基礎編/実践編』
    ○ Knative本 × 3

    View Slide

  3. 3
    OPA in Mercari
    ● Preparing guardrails for Istio at scale
    ● Enhance Kubernetes Security with Gatekeeper
    ● Open Policy AgentとSpinnakerで実現するマイクロサービ
    スの安全な継続的デリバリー
    ● Introduce Conftest

    View Slide

  4. 4
    OPA in Mercari for Kubernetes
    ● Capabilities
    ● Host namespaces
    ● Host network
    ● Host path
    ● Privileged container
    ● Wildcard torelations
    ● Dedicated node pool
    access
    ● Liveness/Readiness prove
    ● Memory request/limit
    ● Pre stop
    ● PDB
    ● HPA
    ● VPA
    ● Datadog Metric
    ● Istio config
    ● DNS config
    ● External IP
    ● Service type

    View Slide

  5. 5
    Example: Capabilities

    View Slide

  6. 6
    Example: Capabilities

    View Slide

  7. 7
    OPA for cloud resources
    ● Domain agnostic and general purpose policy engine
    ● terraform plan and configuration can be converted
    to JSON
    ● Conftest supports JSON and HCL/HCL2

    View Slide

  8. 8
    Differences from use cases for Kubernetes
    ● No gatekeeper
    ○ Terraform -> GCP API
    ● Conftest
    ○ conftest verify
    ○ conftest test

    View Slide

  9. 9
    Differences from existing Terraform tools
    ● terraform fmt
    ○ Terraform style convention
    ● terraform validate
    ○ Terraform syntax
    ● terraform-linters/tflint
    ○ GCP API compatibility
    ● terraform variable (v0.13~)
    ○ General context for input via variable
    ● OPA
    ○ General context (reliability, security, company
    convention, etc.)

    View Slide

  10. 10
    Use cases
    ● Production readiness check
    ○ Cloud SQL backup, auto resize, maintenance
    window
    ○ Cloud Storage multi-regional, versioning
    ● Terraform module guard rail
    ○ Allow list
    ○ Service company, country, environment
    ○ Module version
    ○ Unintended combination

    View Slide

  11. 11
    Example: Terraform module

    View Slide

  12. 12
    Takeaways
    ● OPA & Conftest support not only Kubernetes but also
    a cloud resource (Terraform) use case
    ● OPA & Conftest covers fine-grained use cases that
    existing tools don’t support

    View Slide