This is a lightning version of a longer talk, of a longer blog, of a longer thesis. Strap in, I've only got ten minutes for about a hundred slides

Elephant in the room, policy is not sexy, but I'm going to try and get your attention.

So to set the scene I'm in the lift (yes, American friends we really do call them lifts) four people walk in. Chris! this is your moment, a captive audience. I hear the doors seal shut behind me, I take a breath.

I look at the first person, CIO the policy maker, the one who's neck is on the block, what are the chances of finding you in my imaginary lift today? I ask her, what keeps you up at night?

Don't know what teams are doing.

Setting and changing policy is slow and hard to communicate

People go off and do their own thing, they do know better, but I'm left playing catchup with the risk they've signed me up to

Second person, Product manager - the whip cracker. What's important to you?

Managing risk, mostly opportunity risk, the fear of missing out. getting features out the door, avoiding getting bogged down with

bureaucracy that seems designed to slow me down.

Next person, dressed in overalls, they could be the CTO, before I ask,

Cleaner they say, errr ok how did you get in my imagination, I'll come back to you.

My attention goes to the last person, hoodie, headphones. Ah my stereotypical developer, I know you well.

Whats important to you?

Writing consistent quality code, avoiding technical debt, the rest of my team being able to cohesively work as one.

linters, code quality, test coverage tools, the usual help with that.

Great I say, I write code too, lets be friends, and hand them a printed QR code of my public gpg key, so they can trust me.

Back to the cleaner, How do you get told what to do, and when it changes.

Something stuck to the notice board, last week we were told all the meeting room whiteboards need to be cleaned every night.

It's then up to us to keep everything in sequence.

Like when we hadn't updated the meeting room on the 3rd floor was being used as a dedicated war room, and we wiped their boards down.

I look to the dev, sound familiar? they nod.

Ok so if any of that sounds familiar, and you relate to my imaginary friends then I've got the answers for you.

What if I said:

You could update policy easily, even releasing several version updates

in a single day, seamlessly communicated without derailing anyone?

visibility on compliance using tools you already use?

Multiple concurrent versions of policy are supported

I'm Chris Nesbitt-Smith, I'm an instructor for Learnk8s and Control Plane, consultant to UK Government and tinkerer of open source. I've spent a fair chunk of my professional career now working in Government and large organizations where problems like these are rife. This is a lightning speech, so you'll have to come find me after if you've got questions

By show of hands who's with my CIO and set, written, or applied policy before?

Next round who's sought exemption or consciously bent, broken, circumvented, ignored, bypassed, whatever a policy with at least good intentions?

HA, you fell for it.

We've got all your names and employers details, so put your phones down, lend me your ears, the stakes just got raised.

Policy usually comes in one of two forms

Security, like data at rest being encrypted

Consistency such as code style

Both are intended to mitigate a risk of some sort

However with the best of intentions these are often emotionally led rather than being grounded in a proportionate control which is the open door to case-by-case exemptions being required when you come against a situation you weren't anticipating

Theres plenty of policy as code products out there to help

Devil in the detail though

Throwing some curly braces or yaml at something doesn't inherently fix things.

Especially if it leads your engineers who are hopefully all plenty smart finding 'inventive' ways around the

computer says no response they got.

sure you might say that you provide warnings, on less important issues or new emerging policy, but only useful if someone sees them

yup, as you know all presentations this year are contractually required to reference log4j

even when its entirely out of context

and include some memes. in just a few short months I can remove these

I've just covered a lot of ground, and hopefully sounded convincing, and not just a fictional utopia painted in powerpoint

I know you really came here wanting to see a million words on a slide not just an emoji or two

I'm going to talk about two things, to prove its not just one tech, or tool.

I've picked terraform and Kubernetes

but I could have picked anything

likewise, two tools, but again I could use any, some, or even all, probably. Checkov will do my terraform, kyverno will to my kube.

I've created a example git hub organization here, I'm not expecting you to read or grok the code on screen, its just to prove its a real thing.

The policy is stored here

so heres where my policy starts at v1.0.0 I've got policy that requires a department label on all resources, so long as its set, doesn't matter what it is

I've written tests for this, passing test cases become great examples of what good and bad looks like

pushed a tag in git, we've added release notes

and signed it

version 2.0.0 looks similar, only now that field has to be from a predetermined list, like before, tests, release notes, tags, signed

2.1.0 is where we correct a spelling mistake in that list of departments

2.1.1 added a new department to the list.

couple more repos in the org, app1 and infra1 depend on version 1, and not compliant with 2 or beyond, but how do I know that?

Renovate is automatically making pull requests

with new versions of the policy, so I can update my dependency

and get feedback when I'm not compliant

I can also see the pull requests over the org, so I can measure the compliance of my policy https://github.com/pulls?q=is%3Aopen+is%3Apr+archived%3Afalse+user%3Apolicy-as-versioned-code

couple more repos, app2 and infra2 depend on version 2 of the policy

however we could merge the open pull request up to 2.1.1

app3 and infra3 are dependent on 2.1.1

I've written some bash, sorry

now from my laptop or in CI can evaluate my code against the right policy version

and the last puzzle piece is managing the lifecycle of the policies, and allowing multiple versions of policy to be accepted and evaluated within a single runtime

I've cheated, kube gives you admission controllers, I haven't found a sane way to evaluate against Azure, GCP or AWS policy without doing it for real

The way the policy is designed and distributed lends it self well to co-exist with previous and future versions of itself in a Kubernetes cluster

cluster1 describes a cluster that accepts all the versions we've described so far

likewise cluster2, only accepts 2.0.0 and greater

to demo used KiND to deploy the apps

and there we have it full org all done, all compliant, policy all versioned, CIO all aware of whats going on. So this is great,

when some new privacy regulation comes out, or you acquire more data, the risks and the appetite stand still for no one and now neither does our policy

But the most important thing I want you to remember from our time together is that. And feel free to say it out loud with me

Purposeless

policy is

potentially

practically

pointless

policy.

I've been practicing saying that far too many times.

I've been Chris Nesbitt-Smith, thanks for your time, you're now free to leave, I'll try destroy the evidence of your guilt admissions earlier. Like subscribe whatever the kids do these days on LinkedIn, Github whatever. cns.me points at my LinkedIn. talks.cns.me contains this and other talks, they're all open source.