Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OPA and cloud resources
Search
Toshinori Sugita
July 07, 2021
Technology
0
13k
OPA and cloud resources
Open Policy Agent Rego Knowledge Sharing Meetup
https://mercari.connpass.com/event/211073/
Toshinori Sugita
July 07, 2021
Tweet
Share
More Decks by Toshinori Sugita
See All by Toshinori Sugita
文系学部卒ソフトウェアエンジニアが Georgia Techコンピューターサイエンス修士課程で直面したもの / What a Liberal Arts Graduate Software Engineer Faced in Georgia Tech's Computer Science Master's Program
toshi0607
3
320
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
toshi0607
5
6.6k
KompalWeather: Serverless Sauna Service with Cloud Run
toshi0607
0
12k
Knativeで作るDIY FaaS / serverless days fukuoka 2019 knative workshop
toshi0607
0
5.1k
Knativeで作るDIY FaaS / serverless days tokyo 2019 knative workshop
toshi0607
4
11k
Knativeへの誘い / Go Go Knative!
toshi0607
3
5.6k
Build serverless application on top of Kubernetes #sdmel19
toshi0607
1
6.3k
Knativeで実現するKubernetes上のサーバーレスアーキテクチャ #CNDT2019 #1E3 / serverless architecture on the top of K8s with Knative
toshi0607
9
15k
技術書典で高めるせんとう力 #エンジニア銭湯 / Tech book fest loves sauna
toshi0607
1
7.1k
Other Decks in Technology
See All in Technology
みんなのSRE 〜チーム全員でのSRE活動にするための4つの取り組み〜
kakehashi
PRO
2
120
人と生成AIの協調意思決定/Co‑decision making by people and generative AI
moriyuya
0
280
Strands Agents & Bedrock AgentCoreを1分でおさらい
minorun365
PRO
6
130
AI エンジニアの立場からみた、AI コーディング時代の開発の品質向上の取り組みと妄想
soh9834
8
630
金融サービスにおける高速な価値提供とAIの役割 #BetAIDay
layerx
PRO
1
550
Unson OS|48時間で「売れるか」を判定する AI 市場検証プラットフォーム
unson
0
160
オブザーバビリティプラットフォーム開発におけるオブザーバビリティとの向き合い / Hatena Engineer Seminar #34 オブザーバビリティの実現と運用編
arthur1
0
270
Power Automate のパフォーマンス改善レシピ / Power Automate Performance Improvement Recipes
karamem0
0
280
AI時代の経営、Bet AI Vision #BetAIDay
layerx
PRO
1
1.2k
From Live Coding to Vibe Coding with Firebase Studio
firebasethailand
1
400
Gemini in Android Studio - Google I/O Bangkok '25
akexorcist
0
160
帳票構造化タスクにおけるLLMファインチューニングの性能評価
yosukeyoshida
1
220
Featured
See All Featured
Speed Design
sergeychernyshev
32
1k
Visualization
eitanlees
146
16k
Into the Great Unknown - MozCon
thekraken
40
1.9k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
161
15k
The Cult of Friendly URLs
andyhume
79
6.5k
Producing Creativity
orderedlist
PRO
346
40k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.9k
How to Think Like a Performance Engineer
csswizardry
25
1.8k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
139
34k
Rails Girls Zürich Keynote
gr2m
95
14k
Transcript
1 OPA & cloud resources July 7th 2021, Open Policy
Agent Rego Knowledge Sharing Meetup @toshi0607
2 Self introduction • Toshinori Sugita ◦ @toshi0607 • Job
◦ 2018 Merpay ▪ microservice development ◦ 2020 Mercari ▪ microservice platform (platform infra) • Books ◦ 『GCPで学ぶTerraform 基礎編/実践編』 ◦ Knative本 × 3
3 OPA in Mercari • Preparing guardrails for Istio at
scale • Enhance Kubernetes Security with Gatekeeper • Open Policy AgentとSpinnakerで実現するマイクロサービ スの安全な継続的デリバリー • Introduce Conftest
4 OPA in Mercari for Kubernetes • Capabilities • Host
namespaces • Host network • Host path • Privileged container • Wildcard torelations • Dedicated node pool access • Liveness/Readiness prove • Memory request/limit • Pre stop • PDB • HPA • VPA • Datadog Metric • Istio config • DNS config • External IP • Service type
5 Example: Capabilities
6 Example: Capabilities
7 OPA for cloud resources • Domain agnostic and general
purpose policy engine • terraform plan and configuration can be converted to JSON • Conftest supports JSON and HCL/HCL2
8 Differences from use cases for Kubernetes • No gatekeeper
◦ Terraform -> GCP API • Conftest ◦ conftest verify ◦ conftest test
9 Differences from existing Terraform tools • terraform fmt ◦
Terraform style convention • terraform validate ◦ Terraform syntax • terraform-linters/tflint ◦ GCP API compatibility • terraform variable (v0.13~) ◦ General context for input via variable • OPA ◦ General context (reliability, security, company convention, etc.)
10 Use cases • Production readiness check ◦ Cloud SQL
backup, auto resize, maintenance window ◦ Cloud Storage multi-regional, versioning • Terraform module guard rail ◦ Allow list ◦ Service company, country, environment ◦ Module version ◦ Unintended combination
11 Example: Terraform module
12 Takeaways • OPA & Conftest support not only Kubernetes
but also a cloud resource (Terraform) use case • OPA & Conftest covers fine-grained use cases that existing tools don’t support
toshi0607
kakehashi
moriyuya
minorun365
soh9834
layerx
unson
.jpeg){kind=avatar}
arthur1
karamem0
firebasethailand
akexorcist
yosukeyoshida
sergeychernyshev
eitanlees
thekraken
sstephenson
andyhume
orderedlist
tammyeverts
lemiorhan
zakiyama
csswizardry
eileencodes
gr2m
