Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Toshinori Sugita
July 07, 2021
Technology
0
13k
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
Tweet
Share
More Decks by Toshinori Sugita
See All by Toshinori Sugita
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
0
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
0
4.5k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
4
10k
Knativeへの誘い / Go Go Knative!
toshi0607
3
5.1k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
1
5.8k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
toshi0607
9
14k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
toshi0607
1
6.4k
Goで学ぶKnative #mercarigo / learning Knative with Go
toshi0607
5
23k
入門 Knative 〜KubernetesとServerlessとの出会い〜 / getting started with knative
toshi0607
8
8.8k
Other Decks in Technology
See All in Technology
障害対応をちょっとずつよくしていくための 演習の作りかた
heleeen
1
1.8k
Zero Data Loss Autonomous Recovery Service サービス概要
oracle4engineer
PRO
0
1.9k
One engineer company with Ruby on Rails
rstankov
2
460
生成AIの変革の時代に、直近1年で直面した課題とその解決策
ktc_wada
1
750
中年男性がメインフレームから クラウドへキャリアシフトしてみた
uechishingo
1
400
CockroachDB はどのくらい「しぶとい」のか? / How tough is CockroachDB?
kota2and3kan
5
2.6k
M5stackで使用できるpHセンサの開発
shinrinakamura
1
270
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
8
680
M&A戦略を支えるデータマネジメント (MIDAS Tech Study #16 GENDA Komiyama)
kommy339
1
160
Grafana x PagerDuty Better Together
jacopen
1
320
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
37k
uvを使ってストレスフリーな Python開発をしよう!
r74tech
0
250
Featured
See All Featured
Making the Leap to Tech Lead
cromwellryan
125
8.5k
It's Worth the Effort
3n
180
27k
The Cost Of JavaScript in 2023
addyosmani
21
3.9k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
We Have a Design System, Now What?
morganepeng
43
6.8k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
21
1.9k
For a Future-Friendly Web
brad_frost
172
9k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
0
36
Optimizing for Happiness
mojombo
370
69k
The Brand Is Dead. Long Live the Brand.
mthomps
49
29k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Imperfection Machines: The Place of Print at Facebook
scottboms
261
12k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support