SlideShare a Scribd company logo

Open Policy Agent (OPA) と Kubernetes Policy

Motonori Shindo
Motonori Shindo

Cloud Native Days Spring 2021 ONLINEの講演資料です。 Kubernetes をはじめ、さまざまなシステムから使える汎用的ポリシーエンジンである Open Policy Agent (OPA) の利用例が増えてきています。本セッションでは OPA の概要とアーキテクチャ、および、OPA で使われるポリシー記述言語である Rego について解説をし、Kubernetes の Policy エンジンとして使う場合の利用例についてデモを交えながら解説を行います。

Technology
1 of 36
Download to read offline
©2021 VMware, Inc. Open Policy Agent (OPA) と Kubernetes Policy Mar. 12, 2021 CTO, North Asia (Japan, Korea and Greater China) Motonori Shindo / motonori_shindo
3 ©2021 VMware, Inc. そもそもポリシーって何︖ 何かしらによって課される制約に対して、どうある べきかを規定するもの • 法律、条例 • ビジネスルール • アプリケーション要求 • 地域的制約 • セキュリティ的要件 • … Photo by Scott Graham on Unsplash
4 ©2021 VMware, Inc. 多くのシステムには個別にポリシーが存在している Policy Policy Policy Policy Policy Policy Policy Policy
5 ©2021 VMware, Inc. Open Policy Agent (OPA) とは Domain Agnositc な Policy Engine OPA は Policy Decision だけを⾏い、Policy Enforcement には関与しない Rego という Datalog Inspired な宣⾔的 Policy ⾔ 語を持つ オープンソース 2021.02 に CNCF を卒業 利⽤⽅法 Library (Go)、REST API、Wasm Source: https://www.openpolicyagent.org/docs/latest/
6 ©2021 VMware, Inc. Rego Primer by Example Network, Server, App Toplogies { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } JSON web app db p1 p2 p3 p4 Net1 (public) Net2 (private) https ssh tomcat mysql Internet
7 ©2021 VMware, Inc. Rego Primer by Example (1) Complete Rules, References, Arrays, Logical AND, Assignments, Anonymous Variable, Packages package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output
8 ©2021 VMware, Inc. Rego Primer by Example (1) Complete Rules package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output Complete Rule: <head> = <term> { <body> } <body> が true であれば <head> = <term> になる。 ”= true” は省略可能。
9 ©2021 VMware, Inc. Rego Primer by Example (1) References package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output “input” は予約されたグローバル変数。
10 ©2021 VMware, Inc. References Rego Primer by Example (1) package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output “.” でつなぐ事により、JSON の階層デ ータにアクセスすることができる。
11 ©2021 VMware, Inc. Rego Primer by Example (1) Arrays, Anonymous variables package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output [ ] は配列を表す。‘_’ は無名変数。後に参 照する必要がなければ無名変数を使うこと ができる。
12 ©2021 VMware, Inc. Rego Primer by Example (1) Logical AND package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output <body> 中の複数⾏の <expression> は、Logical AND として解釈される。”<express1> ; <expression2>” と書いても同様。
13 ©2021 VMware, Inc. Rego Primer by Example (1) Assignments package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output ”:=” は assginment(代⼊) operator。Rego の変数 は immutable なので、同じ変数に⼆度 ”:=” で代⼊す ることはできない。
14 ©2021 VMware, Inc. Rego Primer by Example (1) Packages package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output Package は Rego のルールに名前空間 を作り出す。Data API で呼び出される 場合も、この名前空間が使われる。
15 ©2021 VMware, Inc. Rego Primer by Example (1) Output package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output 最終的に Output が返ってくる。
16 ©2021 VMware, Inc. Rego Primer by Example (2) Partial Rules package example.rules public_network[net.id] { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "public_network": [ "net1" ] } Policy Input Output <head> が [ ] を持っている場合は、Partial Rule と呼ばれ、複数の値をセットするのに 使われる。
17 ©2021 VMware, Inc. Rego Primer by Example (3) Logical OR package example.rules shell_accessible[server.id] { server := input.servers[_] server.proto[_] == "telnet" } shell_accessible[server.id] { server := input.servers[_] server.proto[_] == "ssh" } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "shell_accessible": [ "web" ] } Policy Input Output 同じ <head> を持つルールが複数ある場合 は、それらは Logical OR と解釈される。
18 ©2021 VMware, Inc. Rego Primer by Example (4) Iterations, Joins package example.rules public_ports[id] { some i, j id := input.ports[i].id input.ports[i].network == input.networks[j].id input.networks[j].public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "public_ports": [ "p1" ] } Policy Input Output Rego では <expression> に “some” で宣⾔ した変数を埋め込むことで暗黙的にループ が形成される
19 ©2021 VMware, Inc. Comprehensions Rego Primer by Example (5) package example.rules public_ports[port] { port := {p | p = input.ports[_] ; n = input.networks[_] ; p.network == n.id ; n.public } } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "public_ports": [ [ { "id": "p1", "network": "net1" } ] ] } Policy Input Output 数学の集合と同様、内包表現 { 出⼒要素 | 条件 } も可能
22 ©2021 VMware, Inc. Rego 組み込み関数 https://www.openpolicyagent.org/docs/latest/policy-reference/#built-in-functions ⽐較 • ==, !=, <, <=, >, >= 数 • +, -, *, /, %, round(), abs(), etc. 集約 • count(), sum(), max(), min(), product(), sort(), etc. 配列 • concat(), slice() 集合 • get(), remove(), union(), filter(), etc. ⽂字列 • concat(), contains(), startwith(), endswith(), etc. 正規表現 • match(), is_valid(), split(), find_n(), etc. グロブ • match(), quote_meta() ビット処理 • or(), and(), negate(), xor(), lsh(), rsh() 変換 • to_number() 型 • is_number(), is_string(), is_boolean(), etc. エンコード • encode(), decode(), marshal(), unmarshal(), etc.
23 ©2021 VMware, Inc. Rego 組み込み関数(続き) https://www.openpolicyagent.org/docs/latest/policy-reference/#built-in-functions トークン署名 • encode_sign_raw(), encode_sign() トークン検証 • verify_rs256(), verify_rs384(), etc. 時刻 • date(), clock(), weekday(), add_date(), etc. 暗号 • md5(), sha1(), sha256(), parse_certficates(), etc. グラフ • walk(), reachable() HTTP • send() ネットワーク • cidr_contain(), cidr_intersects(), etc. UUID • rfc4122() セマンティック・バージョン • is_valid(), compare() Rego • parse_module() OPA • runtime() デバッグ • trace()
24 ©2021 VMware, Inc. Rego Playground https://play.openpolicyagent.org/
26 ©2021 VMware, Inc. OPA エコシステム
27 ©2021 VMware, Inc. Kubernetes と OPA のインテグレーション - Gatekeeper Kubernetes API Server と OPA の 間のブリッジとして 動作 API Server が Gatekeeper の Webhook をトリ ガー 課したい制約を Rego で記述 Source: https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/
28 ©2021 VMware, Inc. Policy Template と Policy Instance Resource apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels validation: # Schema for the `parameters` field openAPIV3Schema: properties: labels: type: array items: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_]} missing := required - provided count(missing) > 0 msg := sprintf("you must provide labels: %v", [missing]) } apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: ns-must-have-gk spec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] parameters: labels: ["gatekeeper"]
29 ©2021 VMware, Inc. Tanzu Mission Control で提供されている Policy Template
30 ©2021 VMware, Inc. Policy の例 (1) – tmc-block-nodeport-service パラメータ無しのケース
31 ©2021 VMware, Inc. Policy の例 (1) – tmc-block-nodeport-service パラメータ無しのケース apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: tmc-block-nodeport-service spec: crd: spec: names: kind: tmc-block-nodeport-service targets: - target: admission.k8s.gatekeeper.sh rego: | package tmcblocknodeportsvc violation[{"msg": msg}] { input.review.kind.kind == "Service" input.review.kind.group == "" input.review.object.spec.type == "NodePort" msg := "service of type NodePort is forbidden" } { "review": { "object": { "apiVersion": "v1", "kind": "Service", "spec": { "type": "NodePort" }, }, "kind": { "kind": "Service", "group": "", "version": "v1" }, } } フルバージョンの Admission Review Request は ここ ConstraintTemplate Admission Review Request (関連部分のみ)
32 ©2021 VMware, Inc. Policy の例 (2) – tmc-require-labels パラメータ有りのケース
34 ©2021 VMware, Inc. Policy の例 (2) – tmc-require-labels パラメータ有りのケース apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: tmc-require-labels : targets: - target: admission.k8s.gatekeeper.sh rego: | package tmcrequirelabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_].key} missing := required - provided count(missing) > 0 msg := sprintf("You must provide labels with keys: %v", [missing]) } violation[{"msg": msg}] { value := input.review.object.metadata.labels[key] expected := input.parameters.labels[_] expected.key == key expected.value != "" expected.value != value msg := sprintf("Label <%v: %v> must match the value: %v", [key, value, expected.value]) } { "parameters": { "labels": [ { "value": "production", "key": "env" }, ] }, "review": { "object": { "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "labels": { "app": "nginx", "env": "production" }, }, }, } } Admission Review Request (関連部分のみ) ConstraintTemplate フルバージョンの Admission Review Request は ここ
35 ©2021 VMware, Inc. VMware HANDS-ON LABS / HOL-2132-01-MAP https://labs.hol.vmware.com/HOL/catalogs/catalog/1212
37 Confidential │ ©2020 VMware, Inc. 練習問題
38 ©2021 VMware, Inc. securityContext の privileged が true な Pod の作成を許可しないポリシーを書きなさい。 練習問題 (1) apiVersion: v1 kind: Pod metadata: name: nginx-non-privileged labels: app: nginx spec: containers: - name: nginx image: nginx securityContext: privileged: false apiVersion: v1 kind: Pod metadata: name: nginx-privileged labels: app: nginx spec: containers: - name: nginx image: nginx securityContext: privileged: true 許可されるケース 許可されないケース フルバージョンの Admission Review Request は ここ フルバージョンの Admission Review Request は ここ
40 ©2021 VMware, Inc. containerPort が「min < ポート番号 < max」の範囲となる Pod だけ作成を許可するポリシー を書きなさい。ただし、min、max はパラメータとして渡すこととする。 練習問題 (2) apiVersion: v1 kind: Pod metadata: name: nginx-port-8080 labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 8080 apiVersion: v1 kind: Pod metadata: name: nginx-port-80 labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80 許可されるケース 許可されないケース フルバージョンの Admission Review Request は ここ フルバージョンの Admission Review Request は ここ
42 ©2021 VMware, Inc. Namespace 名に特定の⽂字列(例えば “slave” など)が含まれている namespace の作成を許 可しないポリシーを書きなさい。ただし、拒否する⽂字列は複数与えることができるものとする 。 ヒント︓ 組み込み関数の ”contains()” を使ってみよう 練習問題 (3) % kubectl create namespace ns-good % kubectl create namespace ns-slave 許可されるケース 許可されないケース フルバージョンの Admission Review Request は ここ フルバージョンの Admission Review Request は ここ
58 ©2021 VMware, Inc. Open Policy Agent 本家のサイト • https://www.openpolicyagent.org/ • https://github.com/open-policy-agent Tanzu Mission Control で学ぶ Open Policy Agent Part 1 〜 4 by VMware 星野さん • https://blog.lespaulstudioplus.info/posts/tmc-demanabu-opa/ OPA Deep Dive, Kubecon NA 2019 • https://www.youtube.com/watch?v=Uj2N9S58GLU TGIK 119 Gatekeeper and OPA • https://www.youtube.com/watch?v=ZJgaGJm9NJE Styra • https://www.styra.com/ • https://academy.styra.com/ 参考リンク
©2021 VMware, Inc. Thank You

Recommended

Dynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsDynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker Environments
Torin Sandall
 
Spring Data, Jongo & Co.
Spring Data, Jongo & Co.Spring Data, Jongo & Co.
Spring Data, Jongo & Co.
Tobias Trelle
 
Real World Application Performance with MongoDB
Real World Application Performance with MongoDBReal World Application Performance with MongoDB
Real World Application Performance with MongoDBMongoDB
 
Webinar: Building Your First App with MongoDB and Java
Webinar: Building Your First App with MongoDB and JavaWebinar: Building Your First App with MongoDB and Java
Webinar: Building Your First App with MongoDB and Java
MongoDB
 
Parse: 5 tricks that won YC Hacks
Parse: 5 tricks that won YC HacksParse: 5 tricks that won YC Hacks
Parse: 5 tricks that won YC Hacks
Thomas Bouldin
 
ElasticSearch - Introduction to Aggregations
ElasticSearch - Introduction to AggregationsElasticSearch - Introduction to Aggregations
ElasticSearch - Introduction to Aggregations
enterprisesearchmeetup
 
Side by Side with Elasticsearch and Solr
Side by Side with Elasticsearch and SolrSide by Side with Elasticsearch and Solr
Side by Side with Elasticsearch and Solr
Sematext Group, Inc.
 
Angular JS deep dive
Angular JS deep diveAngular JS deep dive
Angular JS deep dive
Axilis
 

Recommended

Dynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsDynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker Environments
Torin Sandall
 
Spring Data, Jongo & Co.
Spring Data, Jongo & Co.Spring Data, Jongo & Co.
Spring Data, Jongo & Co.
Tobias Trelle
 
Real World Application Performance with MongoDB
Real World Application Performance with MongoDBReal World Application Performance with MongoDB
Real World Application Performance with MongoDBMongoDB
 
Webinar: Building Your First App with MongoDB and Java
Webinar: Building Your First App with MongoDB and JavaWebinar: Building Your First App with MongoDB and Java
Webinar: Building Your First App with MongoDB and Java
MongoDB
 
Parse: 5 tricks that won YC Hacks
Parse: 5 tricks that won YC HacksParse: 5 tricks that won YC Hacks
Parse: 5 tricks that won YC Hacks
Thomas Bouldin
 
ElasticSearch - Introduction to Aggregations
ElasticSearch - Introduction to AggregationsElasticSearch - Introduction to Aggregations
ElasticSearch - Introduction to Aggregations
enterprisesearchmeetup
 
Side by Side with Elasticsearch and Solr
Side by Side with Elasticsearch and SolrSide by Side with Elasticsearch and Solr
Side by Side with Elasticsearch and Solr
Sematext Group, Inc.
 
Angular JS deep dive
Angular JS deep diveAngular JS deep dive
Angular JS deep dive
Axilis
 
Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioning
Source Ministry
 
Data Encryption at Rest
Data Encryption at RestData Encryption at Rest
Data Encryption at Rest
All Things Open
 
Intro to fog and openstack jp
Intro to fog and openstack jpIntro to fog and openstack jp
Intro to fog and openstack jp
Satoshi Konno
 
Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...
Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...
Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...
MongoDB
 
Visualizing Mobile Broadband with MongoDB
Visualizing Mobile Broadband with MongoDBVisualizing Mobile Broadband with MongoDB
Visualizing Mobile Broadband with MongoDBMongoDB
 
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
mfrancis
 
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
FIWARE
 
GraphTour - Utilizing Powerful Extensions for Analytics & Operations
GraphTour - Utilizing Powerful Extensions for Analytics & OperationsGraphTour - Utilizing Powerful Extensions for Analytics & Operations
GraphTour - Utilizing Powerful Extensions for Analytics & Operations
Neo4j
 
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE PerseoCreating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Fernando Lopez Aguilar
 
Oracle database - Get external data via HTTP, FTP and Web Services
Oracle database - Get external data via HTTP, FTP and Web ServicesOracle database - Get external data via HTTP, FTP and Web Services
Oracle database - Get external data via HTTP, FTP and Web Services
Kim Berg Hansen
 
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
David Bosschaert
 
Deciphering Explain Output
Deciphering Explain Output Deciphering Explain Output
Deciphering Explain Output
MongoDB
 
Eagle6 Enterprise Situational Awareness
Eagle6 Enterprise Situational AwarenessEagle6 Enterprise Situational Awareness
Eagle6 Enterprise Situational Awareness
MongoDB
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
Sematext Group, Inc.
 
Info 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerInfo 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawler
Shahriar Rafee
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking for
Cláudio André
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platform
Avi Networks
 
Finding the right stuff, an intro to Elasticsearch with Ruby/Rails
Finding the right stuff, an intro to Elasticsearch with Ruby/RailsFinding the right stuff, an intro to Elasticsearch with Ruby/Rails
Finding the right stuff, an intro to Elasticsearch with Ruby/Rails
Michael Reinsch
 
MongoDB Best Practices for Developers
MongoDB Best Practices for DevelopersMongoDB Best Practices for Developers
MongoDB Best Practices for Developers
Moshe Kaplan
 
Open Policy Agent (OPA) 入門
Open Policy Agent (OPA) 入門Open Policy Agent (OPA) 入門
Open Policy Agent (OPA) 入門
Motonori Shindo
 
Semantic Web & TYPO3
Semantic Web & TYPO3Semantic Web & TYPO3
Semantic Web & TYPO3
André Wuttig
 

More Related Content

What's hot

Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioning
Source Ministry
 
Data Encryption at Rest
Data Encryption at RestData Encryption at Rest
Data Encryption at Rest
All Things Open
 
Intro to fog and openstack jp
Intro to fog and openstack jpIntro to fog and openstack jp
Intro to fog and openstack jp
Satoshi Konno
 
Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...
Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...
Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...
MongoDB
 
Visualizing Mobile Broadband with MongoDB
Visualizing Mobile Broadband with MongoDBVisualizing Mobile Broadband with MongoDB
Visualizing Mobile Broadband with MongoDBMongoDB
 
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
mfrancis
 
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
FIWARE
 
GraphTour - Utilizing Powerful Extensions for Analytics & Operations
GraphTour - Utilizing Powerful Extensions for Analytics & OperationsGraphTour - Utilizing Powerful Extensions for Analytics & Operations
GraphTour - Utilizing Powerful Extensions for Analytics & Operations
Neo4j
 
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE PerseoCreating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Fernando Lopez Aguilar
 
Oracle database - Get external data via HTTP, FTP and Web Services
Oracle database - Get external data via HTTP, FTP and Web ServicesOracle database - Get external data via HTTP, FTP and Web Services
Oracle database - Get external data via HTTP, FTP and Web Services
Kim Berg Hansen
 
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
David Bosschaert
 
Deciphering Explain Output
Deciphering Explain Output Deciphering Explain Output
Deciphering Explain Output
MongoDB
 
Eagle6 Enterprise Situational Awareness
Eagle6 Enterprise Situational AwarenessEagle6 Enterprise Situational Awareness
Eagle6 Enterprise Situational Awareness
MongoDB
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
Sematext Group, Inc.
 
Info 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerInfo 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawler
Shahriar Rafee
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking for
Cláudio André
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platform
Avi Networks
 
Finding the right stuff, an intro to Elasticsearch with Ruby/Rails
Finding the right stuff, an intro to Elasticsearch with Ruby/RailsFinding the right stuff, an intro to Elasticsearch with Ruby/Rails
Finding the right stuff, an intro to Elasticsearch with Ruby/Rails
Michael Reinsch
 
MongoDB Best Practices for Developers
MongoDB Best Practices for DevelopersMongoDB Best Practices for Developers
MongoDB Best Practices for Developers
Moshe Kaplan
 

What's hot (20)

Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioning
 
Data Encryption at Rest
Data Encryption at RestData Encryption at Rest
Data Encryption at Rest
 
Intro to fog and openstack jp
Intro to fog and openstack jpIntro to fog and openstack jp
Intro to fog and openstack jp
 
Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...
Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...
Benefits of Using MongoDB Over RDBMS (At An Evening with MongoDB Minneapolis ...
 
Visualizing Mobile Broadband with MongoDB
Visualizing Mobile Broadband with MongoDBVisualizing Mobile Broadband with MongoDB
Visualizing Mobile Broadband with MongoDB
 
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
 
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
 
GraphTour - Utilizing Powerful Extensions for Analytics & Operations
GraphTour - Utilizing Powerful Extensions for Analytics & OperationsGraphTour - Utilizing Powerful Extensions for Analytics & Operations
GraphTour - Utilizing Powerful Extensions for Analytics & Operations
 
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE PerseoCreating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
 
Oracle database - Get external data via HTTP, FTP and Web Services
Oracle database - Get external data via HTTP, FTP and Web ServicesOracle database - Get external data via HTTP, FTP and Web Services
Oracle database - Get external data via HTTP, FTP and Web Services
 
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
 
Deciphering Explain Output
Deciphering Explain Output Deciphering Explain Output
Deciphering Explain Output
 
Eagle6 Enterprise Situational Awareness
Eagle6 Enterprise Situational AwarenessEagle6 Enterprise Situational Awareness
Eagle6 Enterprise Situational Awareness
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
 
Info 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerInfo 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawler
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking for
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platform
 
Finding the right stuff, an intro to Elasticsearch with Ruby/Rails
Finding the right stuff, an intro to Elasticsearch with Ruby/RailsFinding the right stuff, an intro to Elasticsearch with Ruby/Rails
Finding the right stuff, an intro to Elasticsearch with Ruby/Rails
 
MongoDB Best Practices for Developers
MongoDB Best Practices for DevelopersMongoDB Best Practices for Developers
MongoDB Best Practices for Developers
 

Similar to Open Policy Agent (OPA) と Kubernetes Policy

Open Policy Agent (OPA) 入門
Open Policy Agent (OPA) 入門Open Policy Agent (OPA) 入門
Open Policy Agent (OPA) 入門
Motonori Shindo
 
Semantic Web & TYPO3
Semantic Web & TYPO3Semantic Web & TYPO3
Semantic Web & TYPO3
André Wuttig
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
beyond tellerrand: Mobile Apps with JavaScript – There's More Than Web
beyond tellerrand: Mobile Apps with JavaScript – There's More Than Webbeyond tellerrand: Mobile Apps with JavaScript – There's More Than Web
beyond tellerrand: Mobile Apps with JavaScript – There's More Than Web
Heiko Behrens
 
E.D.D.I - Open Source Chatbot Platform
E.D.D.I - Open Source Chatbot PlatformE.D.D.I - Open Source Chatbot Platform
E.D.D.I - Open Source Chatbot Platform
Gregor Jarisch
 
Eagle6 mongo dc revised
Eagle6 mongo dc revisedEagle6 mongo dc revised
Eagle6 mongo dc revisedMongoDB
 
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Amazon Web Services
 
Micro app-framework - NodeLive Boston
Micro app-framework - NodeLive BostonMicro app-framework - NodeLive Boston
Micro app-framework - NodeLive Boston
Michael Dawson
 
Micro app-framework
Micro app-frameworkMicro app-framework
Micro app-framework
Michael Dawson
 
Apache Beam in Production
Apache Beam in ProductionApache Beam in Production
Apache Beam in Production
Ferran Fernández Garrido
 
Evolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchEvolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB Stitch
MongoDB
 
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
DataStax Academy
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for Cassandra
Edward Capriolo
 
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
Mitchell Pronschinske
 
Cncf microservices security
Cncf microservices securityCncf microservices security
Cncf microservices security
Leonardo Gonçalves
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
DevSecCon
 
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
InfluxData
 
Michael Hackstein - NoSQL meets Microservices - NoSQL matters Dublin 2015
Michael Hackstein - NoSQL meets Microservices - NoSQL matters Dublin 2015Michael Hackstein - NoSQL meets Microservices - NoSQL matters Dublin 2015
Michael Hackstein - NoSQL meets Microservices - NoSQL matters Dublin 2015
NoSQLmatters
 
NoSQL meets Microservices
NoSQL meets MicroservicesNoSQL meets Microservices
NoSQL meets Microservices
ArangoDB Database
 

Similar to Open Policy Agent (OPA) と Kubernetes Policy (20)

Open Policy Agent (OPA) 入門
Open Policy Agent (OPA) 入門Open Policy Agent (OPA) 入門
Open Policy Agent (OPA) 入門
 
Semantic Web & TYPO3
Semantic Web & TYPO3Semantic Web & TYPO3
Semantic Web & TYPO3
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDB
 
Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB
 
beyond tellerrand: Mobile Apps with JavaScript – There's More Than Web
beyond tellerrand: Mobile Apps with JavaScript – There's More Than Webbeyond tellerrand: Mobile Apps with JavaScript – There's More Than Web
beyond tellerrand: Mobile Apps with JavaScript – There's More Than Web
 
E.D.D.I - Open Source Chatbot Platform
E.D.D.I - Open Source Chatbot PlatformE.D.D.I - Open Source Chatbot Platform
E.D.D.I - Open Source Chatbot Platform
 
Eagle6 mongo dc revised
Eagle6 mongo dc revisedEagle6 mongo dc revised
Eagle6 mongo dc revised
 
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
 
Micro app-framework - NodeLive Boston
Micro app-framework - NodeLive BostonMicro app-framework - NodeLive Boston
Micro app-framework - NodeLive Boston
 
Micro app-framework
Micro app-frameworkMicro app-framework
Micro app-framework
 
Apache Beam in Production
Apache Beam in ProductionApache Beam in Production
Apache Beam in Production
 
Evolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchEvolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB Stitch
 
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for Cassandra
 
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
 
Cncf microservices security
Cncf microservices securityCncf microservices security
Cncf microservices security
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
 
Michael Hackstein - NoSQL meets Microservices - NoSQL matters Dublin 2015
Michael Hackstein - NoSQL meets Microservices - NoSQL matters Dublin 2015Michael Hackstein - NoSQL meets Microservices - NoSQL matters Dublin 2015
Michael Hackstein - NoSQL meets Microservices - NoSQL matters Dublin 2015
 
NoSQL meets Microservices
NoSQL meets MicroservicesNoSQL meets Microservices
NoSQL meets Microservices
 

More from Motonori Shindo

おうち Lab で GitDNSOps / GitDNS Ops in My Home Lab
おうち Lab で GitDNSOps / GitDNS Ops in My Home Labおうち Lab で GitDNSOps / GitDNS Ops in My Home Lab
おうち Lab で GitDNSOps / GitDNS Ops in My Home Lab
Motonori Shindo
 
Tanzu Mission Control における Open Policy Agent (OPA) の利用
Tanzu Mission Control における Open Policy Agent (OPA) の利用Tanzu Mission Control における Open Policy Agent (OPA) の利用
Tanzu Mission Control における Open Policy Agent (OPA) の利用
Motonori Shindo
 
急速に進化を続けるCNIプラグイン Antrea
急速に進化を続けるCNIプラグイン Antrea 急速に進化を続けるCNIプラグイン Antrea
急速に進化を続けるCNIプラグイン Antrea
Motonori Shindo
 
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Motonori Shindo
 
宣言的(Declarative)ネットワーキング
宣言的(Declarative)ネットワーキング宣言的(Declarative)ネットワーキング
宣言的(Declarative)ネットワーキング
Motonori Shindo
 
Service Mesh for Enterprises / Cloud Native Days Tokyo 2019
Service Mesh for Enterprises / Cloud Native Days Tokyo 2019Service Mesh for Enterprises / Cloud Native Days Tokyo 2019
Service Mesh for Enterprises / Cloud Native Days Tokyo 2019
Motonori Shindo
 
Idea Hackathon at vFORUM 2019 Tokyo
Idea Hackathon at vFORUM 2019 TokyoIdea Hackathon at vFORUM 2019 Tokyo
Idea Hackathon at vFORUM 2019 Tokyo
Motonori Shindo
 
Containers and Virtual Machines: Friends or Enemies?
Containers and Virtual Machines: Friends or Enemies?Containers and Virtual Machines: Friends or Enemies?
Containers and Virtual Machines: Friends or Enemies?
Motonori Shindo
 
Open Source Projects by VMware
Open Source Projects by VMwareOpen Source Projects by VMware
Open Source Projects by VMware
Motonori Shindo
 
Serverless Framework "Disptach" の紹介
Serverless Framework "Disptach" の紹介Serverless Framework "Disptach" の紹介
Serverless Framework "Disptach" の紹介
Motonori Shindo
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線
Motonori Shindo
 
フロー技術によるネットワーク管理
フロー技術によるネットワーク管理フロー技術によるネットワーク管理
フロー技術によるネットワーク管理
Motonori Shindo
 
Viptela 顧客事例
Viptela 顧客事例Viptela 顧客事例
Viptela 顧客事例
Motonori Shindo
 
ViptelaのSD-WANとクラウド最適化ネットワーク
ViptelaのSD-WANとクラウド最適化ネットワークViptelaのSD-WANとクラウド最適化ネットワーク
ViptelaのSD-WANとクラウド最適化ネットワーク
Motonori Shindo
 
OpenStack Congress and Datalog (English)
OpenStack Congress and Datalog (English)OpenStack Congress and Datalog (English)
OpenStack Congress and Datalog (English)
Motonori Shindo
 
OpenStack Congress and Datalog (Japanese)
OpenStack Congress and Datalog (Japanese)OpenStack Congress and Datalog (Japanese)
OpenStack Congress and Datalog (Japanese)
Motonori Shindo
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)Motonori Shindo
 
L2 over L3 ecnaspsulations
L2 over L3 ecnaspsulationsL2 over L3 ecnaspsulations
L2 over L3 ecnaspsulations
Motonori Shindo
 
VMware NSXがサポートするトンネル方式について
VMware NSXがサポートするトンネル方式についてVMware NSXがサポートするトンネル方式について
VMware NSXがサポートするトンネル方式について
Motonori Shindo
 
CloudStack 4.1 + NVP Integration
CloudStack 4.1 + NVP IntegrationCloudStack 4.1 + NVP Integration
CloudStack 4.1 + NVP Integration
Motonori Shindo
 

More from Motonori Shindo (20)

おうち Lab で GitDNSOps / GitDNS Ops in My Home Lab
おうち Lab で GitDNSOps / GitDNS Ops in My Home Labおうち Lab で GitDNSOps / GitDNS Ops in My Home Lab
おうち Lab で GitDNSOps / GitDNS Ops in My Home Lab
 
Tanzu Mission Control における Open Policy Agent (OPA) の利用
Tanzu Mission Control における Open Policy Agent (OPA) の利用Tanzu Mission Control における Open Policy Agent (OPA) の利用
Tanzu Mission Control における Open Policy Agent (OPA) の利用
 
急速に進化を続けるCNIプラグイン Antrea
急速に進化を続けるCNIプラグイン Antrea 急速に進化を続けるCNIプラグイン Antrea
急速に進化を続けるCNIプラグイン Antrea
 
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
 
宣言的(Declarative)ネットワーキング
宣言的(Declarative)ネットワーキング宣言的(Declarative)ネットワーキング
宣言的(Declarative)ネットワーキング
 
Service Mesh for Enterprises / Cloud Native Days Tokyo 2019
Service Mesh for Enterprises / Cloud Native Days Tokyo 2019Service Mesh for Enterprises / Cloud Native Days Tokyo 2019
Service Mesh for Enterprises / Cloud Native Days Tokyo 2019
 
Idea Hackathon at vFORUM 2019 Tokyo
Idea Hackathon at vFORUM 2019 TokyoIdea Hackathon at vFORUM 2019 Tokyo
Idea Hackathon at vFORUM 2019 Tokyo
 
Containers and Virtual Machines: Friends or Enemies?
Containers and Virtual Machines: Friends or Enemies?Containers and Virtual Machines: Friends or Enemies?
Containers and Virtual Machines: Friends or Enemies?
 
Open Source Projects by VMware
Open Source Projects by VMwareOpen Source Projects by VMware
Open Source Projects by VMware
 
Serverless Framework "Disptach" の紹介
Serverless Framework "Disptach" の紹介Serverless Framework "Disptach" の紹介
Serverless Framework "Disptach" の紹介
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線
 
フロー技術によるネットワーク管理
フロー技術によるネットワーク管理フロー技術によるネットワーク管理
フロー技術によるネットワーク管理
 
Viptela 顧客事例
Viptela 顧客事例Viptela 顧客事例
Viptela 顧客事例
 
ViptelaのSD-WANとクラウド最適化ネットワーク
ViptelaのSD-WANとクラウド最適化ネットワークViptelaのSD-WANとクラウド最適化ネットワーク
ViptelaのSD-WANとクラウド最適化ネットワーク
 
OpenStack Congress and Datalog (English)
OpenStack Congress and Datalog (English)OpenStack Congress and Datalog (English)
OpenStack Congress and Datalog (English)
 
OpenStack Congress and Datalog (Japanese)
OpenStack Congress and Datalog (Japanese)OpenStack Congress and Datalog (Japanese)
OpenStack Congress and Datalog (Japanese)
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)
 
L2 over L3 ecnaspsulations
L2 over L3 ecnaspsulationsL2 over L3 ecnaspsulations
L2 over L3 ecnaspsulations
 
VMware NSXがサポートするトンネル方式について
VMware NSXがサポートするトンネル方式についてVMware NSXがサポートするトンネル方式について
VMware NSXがサポートするトンネル方式について
 
CloudStack 4.1 + NVP Integration
CloudStack 4.1 + NVP IntegrationCloudStack 4.1 + NVP Integration
CloudStack 4.1 + NVP Integration
 

Recently uploaded

Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 

Recently uploaded (20)

Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 

Open Policy Agent (OPA) と Kubernetes Policy

  • 1. ©2021 VMware, Inc. Open Policy Agent (OPA) と Kubernetes Policy Mar. 12, 2021 CTO, North Asia (Japan, Korea and Greater China) Motonori Shindo / motonori_shindo
  • 2. 3 ©2021 VMware, Inc. そもそもポリシーって何︖ 何かしらによって課される制約に対して、どうある べきかを規定するもの • 法律、条例 • ビジネスルール • アプリケーション要求 • 地域的制約 • セキュリティ的要件 • … Photo by Scott Graham on Unsplash
  • 4. 5 ©2021 VMware, Inc. Open Policy Agent (OPA) とは Domain Agnositc な Policy Engine OPA は Policy Decision だけを⾏い、Policy Enforcement には関与しない Rego という Datalog Inspired な宣⾔的 Policy ⾔ 語を持つ オープンソース 2021.02 に CNCF を卒業 利⽤⽅法 Library (Go)、REST API、Wasm Source: https://www.openpolicyagent.org/docs/latest/
  • 5. 6 ©2021 VMware, Inc. Rego Primer by Example Network, Server, App Toplogies { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } JSON web app db p1 p2 p3 p4 Net1 (public) Net2 (private) https ssh tomcat mysql Internet
  • 6. 7 ©2021 VMware, Inc. Rego Primer by Example (1) Complete Rules, References, Arrays, Logical AND, Assignments, Anonymous Variable, Packages package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output
  • 7. 8 ©2021 VMware, Inc. Rego Primer by Example (1) Complete Rules package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output Complete Rule: <head> = <term> { <body> } <body> が true であれば <head> = <term> になる。 ”= true” は省略可能。
  • 8. 9 ©2021 VMware, Inc. Rego Primer by Example (1) References package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output “input” は予約されたグローバル変数。
  • 9. 10 ©2021 VMware, Inc. References Rego Primer by Example (1) package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output “.” でつなぐ事により、JSON の階層デ ータにアクセスすることができる。
  • 10. 11 ©2021 VMware, Inc. Rego Primer by Example (1) Arrays, Anonymous variables package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output [ ] は配列を表す。‘_’ は無名変数。後に参 照する必要がなければ無名変数を使うこと ができる。
  • 11. 12 ©2021 VMware, Inc. Rego Primer by Example (1) Logical AND package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output <body> 中の複数⾏の <expression> は、Logical AND として解釈される。”<express1> ; <expression2>” と書いても同様。
  • 12. 13 ©2021 VMware, Inc. Rego Primer by Example (1) Assignments package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output ”:=” は assginment(代⼊) operator。Rego の変数 は immutable なので、同じ変数に⼆度 ”:=” で代⼊す ることはできない。
  • 13. 14 ©2021 VMware, Inc. Rego Primer by Example (1) Packages package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output Package は Rego のルールに名前空間 を作り出す。Data API で呼び出される 場合も、この名前空間が使われる。
  • 14. 15 ©2021 VMware, Inc. Rego Primer by Example (1) Output package example.rules any_public_networks = true { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "any_public_networks": true } Policy Input Output 最終的に Output が返ってくる。
  • 15. 16 ©2021 VMware, Inc. Rego Primer by Example (2) Partial Rules package example.rules public_network[net.id] { net := input.networks[_] net.public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "public_network": [ "net1" ] } Policy Input Output <head> が [ ] を持っている場合は、Partial Rule と呼ばれ、複数の値をセットするのに 使われる。
  • 16. 17 ©2021 VMware, Inc. Rego Primer by Example (3) Logical OR package example.rules shell_accessible[server.id] { server := input.servers[_] server.proto[_] == "telnet" } shell_accessible[server.id] { server := input.servers[_] server.proto[_] == "ssh" } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "shell_accessible": [ "web" ] } Policy Input Output 同じ <head> を持つルールが複数ある場合 は、それらは Logical OR と解釈される。
  • 17. 18 ©2021 VMware, Inc. Rego Primer by Example (4) Iterations, Joins package example.rules public_ports[id] { some i, j id := input.ports[i].id input.ports[i].network == input.networks[j].id input.networks[j].public } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "public_ports": [ "p1" ] } Policy Input Output Rego では <expression> に “some” で宣⾔ した変数を埋め込むことで暗黙的にループ が形成される
  • 18. 19 ©2021 VMware, Inc. Comprehensions Rego Primer by Example (5) package example.rules public_ports[port] { port := {p | p = input.ports[_] ; n = input.networks[_] ; p.network == n.id ; n.public } } { "servers": [ { "id": "web", "proto": ["https", "ssh"], "ports": ["p1", "p2"]}, { "id": "app", "proto": ["tomcat"], "ports": ["p3"]}, { "id": "db", "proto": ["mysql"], "ports": ["p4"]} ], "networks": [ {"id": "net1", "public": true}, {"id": "net2", "public": false} ], "ports": [ {"id": "p1", "network": "net1"}, {"id": "p2", "network": "net2"}, {"id": "p3", "network": "net2"}, {"id": "p4", "network": "net2"} ] } { "public_ports": [ [ { "id": "p1", "network": "net1" } ] ] } Policy Input Output 数学の集合と同様、内包表現 { 出⼒要素 | 条件 } も可能
  • 19. 22 ©2021 VMware, Inc. Rego 組み込み関数 https://www.openpolicyagent.org/docs/latest/policy-reference/#built-in-functions ⽐較 • ==, !=, <, <=, >, >= 数 • +, -, *, /, %, round(), abs(), etc. 集約 • count(), sum(), max(), min(), product(), sort(), etc. 配列 • concat(), slice() 集合 • get(), remove(), union(), filter(), etc. ⽂字列 • concat(), contains(), startwith(), endswith(), etc. 正規表現 • match(), is_valid(), split(), find_n(), etc. グロブ • match(), quote_meta() ビット処理 • or(), and(), negate(), xor(), lsh(), rsh() 変換 • to_number() 型 • is_number(), is_string(), is_boolean(), etc. エンコード • encode(), decode(), marshal(), unmarshal(), etc.
  • 20. 23 ©2021 VMware, Inc. Rego 組み込み関数(続き) https://www.openpolicyagent.org/docs/latest/policy-reference/#built-in-functions トークン署名 • encode_sign_raw(), encode_sign() トークン検証 • verify_rs256(), verify_rs384(), etc. 時刻 • date(), clock(), weekday(), add_date(), etc. 暗号 • md5(), sha1(), sha256(), parse_certficates(), etc. グラフ • walk(), reachable() HTTP • send() ネットワーク • cidr_contain(), cidr_intersects(), etc. UUID • rfc4122() セマンティック・バージョン • is_valid(), compare() Rego • parse_module() OPA • runtime() デバッグ • trace()
  • 21. 24 ©2021 VMware, Inc. Rego Playground https://play.openpolicyagent.org/
  • 22. 26 ©2021 VMware, Inc. OPA エコシステム
  • 23. 27 ©2021 VMware, Inc. Kubernetes と OPA のインテグレーション - Gatekeeper Kubernetes API Server と OPA の 間のブリッジとして 動作 API Server が Gatekeeper の Webhook をトリ ガー 課したい制約を Rego で記述 Source: https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/
  • 24. 28 ©2021 VMware, Inc. Policy Template と Policy Instance Resource apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels validation: # Schema for the `parameters` field openAPIV3Schema: properties: labels: type: array items: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_]} missing := required - provided count(missing) > 0 msg := sprintf("you must provide labels: %v", [missing]) } apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: ns-must-have-gk spec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] parameters: labels: ["gatekeeper"]
  • 25. 29 ©2021 VMware, Inc. Tanzu Mission Control で提供されている Policy Template
  • 26. 30 ©2021 VMware, Inc. Policy の例 (1) – tmc-block-nodeport-service パラメータ無しのケース
  • 27. 31 ©2021 VMware, Inc. Policy の例 (1) – tmc-block-nodeport-service パラメータ無しのケース apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: tmc-block-nodeport-service spec: crd: spec: names: kind: tmc-block-nodeport-service targets: - target: admission.k8s.gatekeeper.sh rego: | package tmcblocknodeportsvc violation[{"msg": msg}] { input.review.kind.kind == "Service" input.review.kind.group == "" input.review.object.spec.type == "NodePort" msg := "service of type NodePort is forbidden" } { "review": { "object": { "apiVersion": "v1", "kind": "Service", "spec": { "type": "NodePort" }, }, "kind": { "kind": "Service", "group": "", "version": "v1" }, } } フルバージョンの Admission Review Request は ここ ConstraintTemplate Admission Review Request (関連部分のみ)
  • 28. 32 ©2021 VMware, Inc. Policy の例 (2) – tmc-require-labels パラメータ有りのケース
  • 29. 34 ©2021 VMware, Inc. Policy の例 (2) – tmc-require-labels パラメータ有りのケース apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: tmc-require-labels : targets: - target: admission.k8s.gatekeeper.sh rego: | package tmcrequirelabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_].key} missing := required - provided count(missing) > 0 msg := sprintf("You must provide labels with keys: %v", [missing]) } violation[{"msg": msg}] { value := input.review.object.metadata.labels[key] expected := input.parameters.labels[_] expected.key == key expected.value != "" expected.value != value msg := sprintf("Label <%v: %v> must match the value: %v", [key, value, expected.value]) } { "parameters": { "labels": [ { "value": "production", "key": "env" }, ] }, "review": { "object": { "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "labels": { "app": "nginx", "env": "production" }, }, }, } } Admission Review Request (関連部分のみ) ConstraintTemplate フルバージョンの Admission Review Request は ここ
  • 30. 35 ©2021 VMware, Inc. VMware HANDS-ON LABS / HOL-2132-01-MAP https://labs.hol.vmware.com/HOL/catalogs/catalog/1212
  • 31. 37 Confidential │ ©2020 VMware, Inc. 練習問題
  • 32. 38 ©2021 VMware, Inc. securityContext の privileged が true な Pod の作成を許可しないポリシーを書きなさい。 練習問題 (1) apiVersion: v1 kind: Pod metadata: name: nginx-non-privileged labels: app: nginx spec: containers: - name: nginx image: nginx securityContext: privileged: false apiVersion: v1 kind: Pod metadata: name: nginx-privileged labels: app: nginx spec: containers: - name: nginx image: nginx securityContext: privileged: true 許可されるケース 許可されないケース フルバージョンの Admission Review Request は ここ フルバージョンの Admission Review Request は ここ
  • 33. 40 ©2021 VMware, Inc. containerPort が「min < ポート番号 < max」の範囲となる Pod だけ作成を許可するポリシー を書きなさい。ただし、min、max はパラメータとして渡すこととする。 練習問題 (2) apiVersion: v1 kind: Pod metadata: name: nginx-port-8080 labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 8080 apiVersion: v1 kind: Pod metadata: name: nginx-port-80 labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80 許可されるケース 許可されないケース フルバージョンの Admission Review Request は ここ フルバージョンの Admission Review Request は ここ
  • 34. 42 ©2021 VMware, Inc. Namespace 名に特定の⽂字列(例えば “slave” など)が含まれている namespace の作成を許 可しないポリシーを書きなさい。ただし、拒否する⽂字列は複数与えることができるものとする 。 ヒント︓ 組み込み関数の ”contains()” を使ってみよう 練習問題 (3) % kubectl create namespace ns-good % kubectl create namespace ns-slave 許可されるケース 許可されないケース フルバージョンの Admission Review Request は ここ フルバージョンの Admission Review Request は ここ
  • 35. 58 ©2021 VMware, Inc. Open Policy Agent 本家のサイト • https://www.openpolicyagent.org/ • https://github.com/open-policy-agent Tanzu Mission Control で学ぶ Open Policy Agent Part 1 〜 4 by VMware 星野さん • https://blog.lespaulstudioplus.info/posts/tmc-demanabu-opa/ OPA Deep Dive, Kubecon NA 2019 • https://www.youtube.com/watch?v=Uj2N9S58GLU TGIK 119 Gatekeeper and OPA • https://www.youtube.com/watch?v=ZJgaGJm9NJE Styra • https://www.styra.com/ • https://academy.styra.com/ 参考リンク