John Reese
Software Engineer at Yubico
Actions
John Reese is an Infrastructure Security Engineer at Yubico, who specializes in Kubernetes and Go. He is an active open source contributor and a core maintainer for Conftest, a tool that helps you write tests against structured configuration data. In his free time, he enjoys playing Pickleball and video games, both of which he takes way too seriously.
Links
Area of Expertise
Topics
Open Policy Agent Can Do THAT?! The Many Use Cases of OPA
That’s right! The Open Policy Agent has other skills than just securing your clusters. The general-purpose design of the Open Policy Agent has enabled many tools, such as Gatekeeper, to adopt it for their own policy decision needs. This is powerful because it provides end-users with a consistent approach to policy enforcement throughout the cloud native ecosystem.
This talk will look at several different tools and techniques that leverage OPA's policy engine and how they can benefit the development, deployment, and security of your applications.
We'll explore:
- How Regula can evaluate your infrastructure for compliance violations before ever reaching the cloud.
- How Conftest can enforce cluster policies in local environments and CI without the need for a cluster.
- How Gatekeeper can provide cluster audits and prevent insecure workloads from being deployed.
- How Konstraint can automatically generate documentation, constraints, and templates for your policies.
- ... and more!
By the end of this talk, the audience will have more tools available to them in their toolkit and gain a different perspective on how the Open Policy Agent is used today to make better decisions for tomorrow.
Testing Without Examples (with Examples): A Look at Property-Based Testing
Have you ever heard of an example-based test? Chances are, you've written one without even knowing it! Every time we write a test where the input of the test is known, it's an example-based test.
Let's face it though, example-based tests can be hard to write. "Did I think of every possible edge case?" can be a tough question to answer. Sometimes we just don't know. Property-based tests are a great way to find those edge cases and can even help us fully understand how our code behaves under all conditions. Not just the ones we know about.
In this session, we'll learn all about the benefits (and drawbacks) of property-based testing through a series of examples using Go.
A Comment on Comments
Do you have a line of code may not be obvious to the next reader? Just add a comment. Unsure if you will need that method for later? Save it for later in a comment block. I would argue that all of these examples are not good uses of comments. So what are comments good for? If you ask me, not much.
In this session, you'll learn some of the problems with comments as well as some refactoring strategies that can enable you to not have to write them in the first place.
Enabling Autonomous Teams With Policy Enforcement at Yubico
In this talk, we will discuss the tools and processes created by Yubico to enable autonomous teams through policy.
Initially, Kubernetes RBAC and peer reviews from our Platform team allowed teams to adopt Kubernetes for their services. However, we knew that a dependency on a single team was not a scalable solution. To give teams more autonomy over their services, and rely less on manual reviews, we began to enforce policies in our pipelines and clusters by leveraging the Open Policy Agent. The Open Policy Agent and its surrounding projects were the perfect fit for us; they are open source, flexible, performant, and have seen widespread adoption throughout the ecosystem.
We'll also discuss the tooling that was built that enabled us to test policies, automatically generate supporting documentation and audit how each policy is being used so that they can be safely promoted through our environments. Best of all? They are all open source!
The OPA Toolbox: Enforcing Policy Throughout the Application Lifecycle
The Open Policy Agent has become a crucial component of many Kubernetes clusters, but its use cases go far beyond enforcing policies and securing workloads. Its generic purpose design makes it possible for other tools to use the Open Policy Agent as a library, which provides a consistent means of policy enforcement throughout the entire lifecycle of the application.
In this talk, we will look at the tools that use the Open Policy Agent, including:
- Writing unit tests for Kubernetes manifests using Conftest.
- Generating policy templates and documentation using Konstraint.
- Policy enforcement and auditing within the cluster using Gatekeeper.
Attendees will walk away with knowledge about the different tools that implement the Open Policy Agent today and how they can be used to enforce policy from local development to production.
Improving Design through Test Driven Development
There are numerous benefits to writing unit tests; they help with regression and provide executable documentation. However, there is yet another benefit that seems to go unnoticed. They facilitate good design!
In this session, we'll write a program not once, but twice. The first time we won't consider TDD at all. Next, we'll write the same program using TDD and see how different the two approaches truly are. Then we can ask ourselves, what had to change to make the program testable? What can we do now that the program has a suite of tests behind it?
If you want to see how leveraging test-driven development encourages a better design, this is the talk for you!
Understanding Code Coverage
You've probably heard it before. "We need to ensure we have at least 80% code coverage on this code base! We won't be confident everything is working otherwise!" While at first, this does sound like sound logic, it turns out code coverage isn't a goal that we should be actively striving for. It could actually make your code worse.
Before worrying about how much code coverage an application has, we should consider the application itself. Is this a mission critical system? Is it acceptable if it goes down for a period of time? Who are the stakeholders involved for each feature? Code coverage only tells you if a line is covered, but not all lines are created equal.
In this session, we'll discuss the common pitfalls of using code coverage as a goal and how we should really be using code coverage to better our applications.
Coding for Humans
Martin Fowler said it best, "Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
As developers, we spend more time reading code than writing it, but all too often we try to be clever instead of direct. We optimize for performance instead of clarity. These practices can lead to code that is hard to understand for the next developer and even our future selves. If we cannot understand code, we can never hope to maintain it!
Through a series of examples, we'll learn techniques that can make our code more understandable and maintainable for our fellow humans. The code samples for this session are in C#, but the techniques can be applied to any object-oriented language.
Gamifying Security Awareness
Conventional security training and awareness has failed us. It's often tedious and boring, consisting of video lectures, quizzes, and annual reviews that no one pays attention to. But what if we could make security awareness fun? By gamifying security education, we can create an environment where people actually want to learn about security and retain what they have learned.
Gamifying security is not a new concept. It has existed for quite some time, most notably in the form of Capture the Flag, which enables participants to attempt and subsequently learn about real-world security exploits in a controlled environment. Microsoft has even developed their own game, Elevation of Privilege, where players learn threat modeling techniques through a competitive card game.
In this session, we will explore these games and how gamification techniques can be a successful training tool to educate employees on security best practices.
Watch This Talk Before You Go Go
Curious about the Go programming language, but don't know where to start? In this talk you'll learn all about Go by comparing it to programming languages you already know and love!
Go is more than just learning new syntax. The language takes a fundamentally different approach to solve many problems that we as developers encounter everyday. Take package management for example, you may already be familiar with solutions like NuGet for .NET and npm for Node, but did you know Go just uses the source code repository? This approach not only simplifies how developers can share code with one another, but still facilitates immutability through Go modules. Some languages can go through a process called minification which replaces long variable and function names with shorter ones to reduce the overall footprint of the application, but Go simply ignores unused code right in its toolchain!
By the end of this talk, you'll walk away with knowing what makes Go special by leveraging knowledge you already know, and why Go might be your new favorite language.
Slowing Our Role: Moving Towards Policy at Plex
In this talk, we'll walk through Plex's journey from role-based access to embracing policy.
To be fair, roles got us far at Plex. Roles can be a completely valid solution, especially for smaller systems. However, as we grew, we knew roles would not be able to solve all our problems forever. Our solution? Policy.
With policy, we are able to focus on what we actually care about: compliance. Additionally, policy enforcement tools such as Conftest and Open Policy Agent allow us to define our policies upfront and enforce them in our pipeline. This approach makes automation and autonomy a reality. By enforcing policies in pipelines, fewer manual reviews are required, and our team can focus on innovation rather than approving change requests.
Our journey is not over yet, but you can still come hear all about where we started with role-based access control, where we are today with policy, and where we want to be.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top