 Fy oeddwch. Felly bynnwch y wpersiau tynnu yma yn ymryd yn ymrydd yma yn y vlog yn y ffordd yn y ffordd. Mae'r ystraddiol pan gallwch ar y cyfnod yw 10 min, a'r rhywbeth yn ymryd yn ymryd blaen, ac yn ymryd sy'n 100 ydi. So, ynghylch yn y fhrifwyr, y panfodol y ti'n niech ei wneud yn ymryd. Ond erna ychwaneg y gallwn i fod wedi tro, a'i ddatblygu bod rhywbeth pwysig iawn. Felly, ydych chi'n gweithio'r ystafell, rwy'n gweithio, a dyna'r amser amser, rwy'n gweithio'n gweithio. Rydych chi'n gweithio. Chris, dyna'r momentau chi. Mae'r gweithio'r awddiant. Rydych chi'n gweithio'r gweithio, rwy'n gweithio'r gweithio. Rwy'n gweithio'r ystafell, CEO, y policymaker, y pwylltau'r ysgol yw'r blwch. Wel, ychydig yn ychydig ar gyfer y gweithio'r gweithio ym wrthidau? I asko, well, what keeps you up at night? Well, we don't know what teams are really doing, setting and changing policy is slow, hard to communicate, and people just go off and do their own thing. They think they know better, and often they do, but then I'm left playing catch-up with the risk that they've signed me up to. Second person, product manager, the whipcracker, well, what's important to you? So, managing risk, most of the opportunity risk, the fear of missing out, getting features out the door and avoiding getting bogged down with bureaucracy that seems designed, seemingly, to slow me down. Next person, dressed in overalls, they could be in a trendy part of town, they could be the CTO. Before I ask, cleaner, they say, ah, okay. Well, how did you get in my imagination? I'll come back to you. My attention to the last person, hoodie, headphones around the neck, ah, my stereotypical developer, yes, I know you well. Well, what's important to you? Well, writing consistent quality code, avoiding technical debt, and the rest of my team being able to cohesively work as one. So, we use lintas, test coverage tools, the usual to help with that. Great, I say, I write code too, let's be friends, and I hand them a printed QR code, my public GPG key, so they know that they can trust me. Back to the cleaner. How do you get told what to do and when it changes? Well, something gets stuck to a notice board, or so like last week we were told, all the meeting room whiteboards were needed to be wiped down every night. It's then up to us to then keep everything in sequence. Like when we haven't updated the meeting room, ah, the, the, the, the, I haven't updated that the meeting room on the third floor was being used as a dedicated wall room, and we wiped all their boards down. So I looked to the dev, does this sound familiar? I nod. Well, turns out we're not all special snowflakes. So, if any of this sounds familiar, and you can at least relate maybe one of my imaginary friends, then maybe I might have something resembling answers for you. So, what if I said that you could update policy easily, even releasing several version updates, not just in a single day, or all in a single day, seamlessly communicated without derailing anyone? Visibility on compliance, perhaps using tools that you might already be using. And multiple concurrent versions of the policy are all supported. Okay, I'm Chris Nessot-Smith, so I'm an instructor for Learn KX, and also for control plane, a consultant to various bits of UK government and a tinkerer of bits of open source. I've spent a fair chunk of my professional career now working in Gov and large organisations where problems like these arrive. This is a lightning speech, so we probably won't have any time for questions, but I'm pretty obvious I'll be the only one with pink jeans, and you can find me afterwards. So, by show of hands, who's with my CIO and has set, written, or applied any sort of policy before? Like anything, like a coding standard, or anything for your team, or anything like that? Cool. Okay, next round. Who sorts exemption or consciously bent, broken, circumvented, ignored, bypassed, whatever a policy with at least some good intentions? Cool, thank you. You fell for it. So, thanks to the organisers, we've got all of your names and employers' details down, so put your phones down, the stakes just got raised. So, policy usually comes in one of two forms. So, security, like data at rest being encrypted, for example, or consistency, such as code style. Both generally are intended, at least in principle, to mitigate a risk of some sort. However, with the best of intentions, these are often emotionally led, rather than grounded in proportionate controls, which often becomes the open door to case-by-case exemptions being required when you come up against a situation that you weren't expecting. And there are plenty of policy as code products out there to help, which I'm sure you are all screaming at me in your heads. But the devil's in the detail. Throwing some curly braces or yamel at something doesn't inherently fix things, especially if it leads your engineers who are all hopeful plenty smart people are found finding inventive, should we say, ways around the computer, says no response that they've got. Sure, you might say that you provide some warnings on less important issues or new emerging policy, but that's only useful if anyone's actually seeing them. Okay, so yes, as you know, all presentations this year are contractually required to reference a lock 4J, even when it's entirely out of context. So these are my slides, get over with it. So in just a few short months, I'll be able to remove them and just broadly point to a list of CVEs in order to command your behaviour through fear. So I've just covered a lot of ground and hopefully sounded at least vaguely convincing, and it's not just this fictional utopia painted in PowerPoint. And I know you really all came here wanting to see a million words on a slide and not just the odd emoji or two. So I'm going to be talking about two things to prove this is not just one tech or one tool. I've picked Terraform and Kubernetes, but I could have probably picked anything, really. Likewise, I've got two tools because I'm too lazy to do much myself. But again, these could be any or some or even all probably. So Chekhov's going to be doing my Terraform and Coverno's going to be doing my Kubernetes. I've created an example GitHub organisation here. I'm not expecting you to read or groch the code on screen. It's just to prove that it's a real thing. And the link will be at the end as well. So the policy is stored here in this repo of the org. So here's where my policy starts at v100. I've got policy that requires a department label on all resources, so long as it's set, doesn't matter what it is. I've written some tests for this, so passing test cases become great examples of what good and bad looks like. I've pushed a tag in Git. We've added some release notes. Obviously, they've signed it. And version two looks similar. Only now that field has to be from a predetermined list. Tests, release notes, tags, signed, et cetera. 210 is where we correct a spelling mistake in that list of departments. And 211, we've added a new department to the list. It's a few more repos in that organisation. There's app one and infra one. So these both depend on version one of the policy and not compliant with version two. But how might I know that? Well, I can use renovate, in this case, to automatically make some pull requests. Could use dependable or something else, if you like. So with new versions of the policy, so I can update my dependency just for my pull request. And I get feedback about when I'm not compliant. And I can also see the pull request over the organisation as a whole, so I can measure the compliance of my policy. A couple more repos, so app two and infra two. Well, these depend on version two of the policy. However, we could merge the open pull request all the way up to 211. And lastly, app three and infra three, well, these are all dependent on 211, and they get a gold star from the CIO. I've written some bash, sorry. So now, from my laptop or in CI, I can evaluate my code against the right version of the policy that I've declared in my resources. And the last piece of the puzzle then is then managing the life cycle of the policies and allowing multiple versions of the policy to be accepted and evaluated within a single runtime. I've cheated a bit here. So, Cube gives you admission controllers. I haven't found a sensible way to do the same evaluation in Azure, GCP or AWS. All of their policy is doing its own weird stuff, and you can have to do it for real. So, the way the policy is designed and distributed lends itself well to coexist with previous and future versions of itself within a Kubernetes cluster. So, I've got a few more repos, so cluster one. Well, this describes a cluster that accepts all the versions we've described so far. Likewise, cluster two. Well, this only accepts 2.00 and greater. And to demo this, I've just used kind in order to deploy the apps and prove what does deploy and what doesn't. And then we have it. A full org, all done, all compliant policy, all versions, CIO, all aware of what's going on. So, this is great. When some new privacy regulation comes out or you acquire more data, the risks and the appetite will stand still for no one. And now, neither does your policy. But the most important thing that I want you to remember from our time together and please do feel free to humor me and say it out loud with me, that purposeless policy is potentially practically pointless policy, which I've been practising saying far too many times. I've been Chris Nesbit-Smith. Thanks so much for your time. You're now free to leave. I will delete the photos, maybe. If you're guilt-admissions earlier, like, subscribe, whatever the kids do on LinkedIn, GitHub. There'll be little or no content. Sometimes I'm awful at self-promotion. And talks.cns.me. The point contains this and other talks and they're all open source. And cns.me just links to my LinkedIn. Thank you very much.