Save 37% off PRO during our
Black Friday Sale! »
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
OPA and cloud resources
Toshinori Sugita
July 07, 2021
Technology
0
520
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
Tweet
Share
More Decks by Toshinori Sugita
See All by Toshinori Sugita
toshi0607
0
7.7k
toshi0607
0
3.2k
toshi0607
4
8.4k
toshi0607
3
3.7k
toshi0607
1
4.4k
toshi0607
8
11k
toshi0607
1
4.7k
toshi0607
5
20k
toshi0607
7
7k
Other Decks in Technology
See All in Technology
shimasan
0
230
okepy
PRO
0
610
sunaotabata
17
34k
pichuang
0
640
oracle4engineer
PRO
0
110
kakutani
3
390
wakama
0
310
godan
0
160
sinsoku
0
180
shirayanagiryuji
0
150
katahiro12345
0
110
aachan5550
0
420
Featured
See All Featured
colly
71
3.2k
malarkey
122
16k
eitanlees
120
11k
keathley
25
960
erikaheidi
29
5.3k
jnunemaker
PRO
44
5k
jlugia
218
16k
ufuk
61
7.3k
morganepeng
32
2.6k
jasonvnalue
88
8.4k
hursman
112
9.6k
bermonpainter
349
27k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
toshi0607
shimasan
okepy
sunaotabata
pichuang
oracle4engineer
kakutani
wakama
godan
sinsoku
shirayanagiryuji
katahiro12345
aachan5550
colly
malarkey
eitanlees
keathley
erikaheidi
jnunemaker
jlugia
ufuk
morganepeng
jasonvnalue
hursman
bermonpainter
