Commit 3d16fa67 authored by Mark Florian's avatar Mark Florian

Merge branch 'network-policy-management-docs' into 'master'

Remove network_policy_management feature flag

See merge request gitlab-org/gitlab!33667
parents 154d745d 635da1a2
...@@ -9,9 +9,10 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -9,9 +9,10 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14707) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14707) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
The **Threat Monitoring** page provides metrics for the GitLab The **Threat Monitoring** page provides metrics and policy management
application runtime security features. You can access these metrics by for the GitLab application runtime security features. You can access
navigating to your project's **Security & Compliance > Threat Monitoring** page. these by navigating to your project's **Security & Compliance > Threat
Monitoring** page.
GitLab supports statistics for the following security features: GitLab supports statistics for the following security features:
...@@ -77,3 +78,41 @@ about your packet flow: ...@@ -77,3 +78,41 @@ about your packet flow:
If a significant percentage of packets is dropped, you should If a significant percentage of packets is dropped, you should
investigate it for potential threats by investigate it for potential threats by
[examining the Cilium logs](../../clusters/applications.md#install-cilium-using-gitlab-cicd). [examining the Cilium logs](../../clusters/applications.md#install-cilium-using-gitlab-cicd).
## Container Network Policy management
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3328) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1.
The **Threat Monitoring** page's **Policy** tab displays deployed
network policies for all available environments. You can check a
network policy's `yaml` manifest and toggle the policy's enforcement
status. This section has the following prerequisites:
- Your project contains at least one [environment](../../../ci/environments/index.md)
- You've [installed Cilium](../../clusters/applications.md#install-cilium-using-gitlab-cicd)
Network policies are fetched directly from the selected environment's
deployment platform. Changes performed outside of this tab are
reflected upon refresh. Enforcement status changes are deployed
directly to a deployment namespace of the selected environment.
NOTE: **Note:**
If you're using [Auto DevOps](../../../topics/autodevops/index.md) and
change a policy in this section, your `auto-deploy-values.yaml` file
doesn't update. Auto DevOps users must make changes by following
the [Container Network Policy documentation](../../../topics/autodevops/stages.md#network-policy).
### Changing enforcement status
To change a network policy's enforcement status:
- Click the network policy you want to update.
- Click the **Enforcement status** toggle to update the selected policy.
- Click the **Apply changes** button to deploy network policy changes.
NOTE: **Note:**
Disabled network policies have the
`network-policy.gitlab.com/disabled_by: gitlab` selector inside the
`podSelector` block. This narrows the scope of such a policy and as a
result it doesn't affect any pods. The policy itself is still deployed
to the corresponding deployment namespace.
...@@ -3,7 +3,6 @@ import { mapActions } from 'vuex'; ...@@ -3,7 +3,6 @@ import { mapActions } from 'vuex';
import { GlAlert, GlEmptyState, GlIcon, GlLink, GlPopover, GlTabs, GlTab } from '@gitlab/ui'; import { GlAlert, GlEmptyState, GlIcon, GlLink, GlPopover, GlTabs, GlTab } from '@gitlab/ui';
import { s__ } from '~/locale'; import { s__ } from '~/locale';
import axios from '~/lib/utils/axios_utils'; import axios from '~/lib/utils/axios_utils';
import glFeatureFlagsMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
import ThreatMonitoringFilters from './threat_monitoring_filters.vue'; import ThreatMonitoringFilters from './threat_monitoring_filters.vue';
import ThreatMonitoringSection from './threat_monitoring_section.vue'; import ThreatMonitoringSection from './threat_monitoring_section.vue';
import NetworkPolicyList from './network_policy_list.vue'; import NetworkPolicyList from './network_policy_list.vue';
...@@ -22,7 +21,6 @@ export default { ...@@ -22,7 +21,6 @@ export default {
ThreatMonitoringSection, ThreatMonitoringSection,
NetworkPolicyList, NetworkPolicyList,
}, },
mixins: [glFeatureFlagsMixin()],
props: { props: {
defaultEnvironmentId: { defaultEnvironmentId: {
type: Number, type: Number,
...@@ -194,11 +192,7 @@ export default { ...@@ -194,11 +192,7 @@ export default {
documentation-anchor="container-network-policy" documentation-anchor="container-network-policy"
/> />
</gl-tab> </gl-tab>
<gl-tab <gl-tab ref="networkPolicyTab" :title="s__('ThreatMonitoring|Policies')">
v-if="glFeatures.networkPolicyManagement"
ref="networkPolicyTab"
:title="s__('ThreatMonitoring|Policies')"
>
<network-policy-list :documentation-path="documentationPath" /> <network-policy-list :documentation-path="documentationPath" />
</gl-tab> </gl-tab>
</gl-tabs> </gl-tabs>
......
...@@ -57,14 +57,16 @@ export const fetchEnvironments = ({ state, dispatch }) => { ...@@ -57,14 +57,16 @@ export const fetchEnvironments = ({ state, dispatch }) => {
export const setCurrentEnvironmentId = ({ commit, dispatch }, environmentId) => { export const setCurrentEnvironmentId = ({ commit, dispatch }, environmentId) => {
commit(types.SET_CURRENT_ENVIRONMENT_ID, environmentId); commit(types.SET_CURRENT_ENVIRONMENT_ID, environmentId);
dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true }); dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true });
dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true }); dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, {
if (window.gon.features?.networkPolicyManagement) { root: true,
dispatch(`networkPolicies/fetchPolicies`, environmentId, { root: true }); });
} dispatch(`networkPolicies/fetchPolicies`, environmentId, { root: true });
}; };
export const setCurrentTimeWindow = ({ commit, dispatch }, timeWindow) => { export const setCurrentTimeWindow = ({ commit, dispatch }, timeWindow) => {
commit(types.SET_CURRENT_TIME_WINDOW, timeWindow.name); commit(types.SET_CURRENT_TIME_WINDOW, timeWindow.name);
dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true }); dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true });
dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true }); dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, {
root: true,
});
}; };
...@@ -3,8 +3,5 @@ ...@@ -3,8 +3,5 @@
module Projects module Projects
class ThreatMonitoringController < Projects::ApplicationController class ThreatMonitoringController < Projects::ApplicationController
before_action :authorize_read_threat_monitoring! before_action :authorize_read_threat_monitoring!
before_action only: [:show] do
push_frontend_feature_flag(:network_policy_management)
end
end end
end end
---
title: Add Network Policy Management to the Threat Monitoring page
merge_request: 33667
author:
type: added
// Jest Snapshot v1, https://goo.gl/fbAQLP // Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`ThreatMonitoringApp component given there is a default environment with data given the networkPolicyManagement feature flag is enabled renders the network policy tab 1`] = `
<gl-tab-stub
title="Policies"
>
<network-policy-list-stub
documentationpath="/docs"
/>
</gl-tab-stub>
`;
exports[`ThreatMonitoringApp component given there is a default environment with data renders the network policy section 1`] = ` exports[`ThreatMonitoringApp component given there is a default environment with data renders the network policy section 1`] = `
<threat-monitoring-section-stub <threat-monitoring-section-stub
anomaloustitle="Dropped Packets" anomaloustitle="Dropped Packets"
...@@ -26,6 +16,16 @@ exports[`ThreatMonitoringApp component given there is a default environment with ...@@ -26,6 +16,16 @@ exports[`ThreatMonitoringApp component given there is a default environment with
/> />
`; `;
exports[`ThreatMonitoringApp component given there is a default environment with data renders the network policy tab 1`] = `
<gl-tab-stub
title="Policies"
>
<network-policy-list-stub
documentationpath="/docs"
/>
</gl-tab-stub>
`;
exports[`ThreatMonitoringApp component given there is a default environment with data renders the waf section 1`] = ` exports[`ThreatMonitoringApp component given there is a default environment with data renders the waf section 1`] = `
<threat-monitoring-section-stub <threat-monitoring-section-stub
anomaloustitle="Anomalous Requests" anomaloustitle="Anomalous Requests"
......
...@@ -118,26 +118,8 @@ describe('ThreatMonitoringApp component', () => { ...@@ -118,26 +118,8 @@ describe('ThreatMonitoringApp component', () => {
expect(findNetworkPolicySection().element).toMatchSnapshot(); expect(findNetworkPolicySection().element).toMatchSnapshot();
}); });
it('does not render the network policy tab', () => { it('renders the network policy tab', () => {
expect(findNetworkPolicyTab().exists()).toBe(false); expect(findNetworkPolicyTab().element).toMatchSnapshot();
});
describe('given the networkPolicyManagement feature flag is enabled', () => {
beforeEach(() => {
factory({
options: {
provide: {
glFeatures: {
networkPolicyManagement: true,
},
},
},
});
});
it('renders the network policy tab', () => {
expect(findNetworkPolicyTab().element).toMatchSnapshot();
});
}); });
describe('dismissing the alert', () => { describe('dismissing the alert', () => {
......
...@@ -16,16 +16,6 @@ const environmentsEndpoint = 'environmentsEndpoint'; ...@@ -16,16 +16,6 @@ const environmentsEndpoint = 'environmentsEndpoint';
const wafStatisticsEndpoint = 'wafStatisticsEndpoint'; const wafStatisticsEndpoint = 'wafStatisticsEndpoint';
const networkPolicyStatisticsEndpoint = 'networkPolicyStatisticsEndpoint'; const networkPolicyStatisticsEndpoint = 'networkPolicyStatisticsEndpoint';
const stubFeatureFlags = features => {
beforeEach(() => {
window.gon.features = features;
});
afterEach(() => {
delete window.gon.features;
});
};
describe('Threat Monitoring actions', () => { describe('Threat Monitoring actions', () => {
let state; let state;
...@@ -41,7 +31,11 @@ describe('Threat Monitoring actions', () => { ...@@ -41,7 +31,11 @@ describe('Threat Monitoring actions', () => {
it('commits the SET_ENDPOINT mutation', () => it('commits the SET_ENDPOINT mutation', () =>
testAction( testAction(
actions.setEndpoints, actions.setEndpoints,
{ environmentsEndpoint, wafStatisticsEndpoint, networkPolicyStatisticsEndpoint }, {
environmentsEndpoint,
wafStatisticsEndpoint,
networkPolicyStatisticsEndpoint,
},
state, state,
[ [
{ {
...@@ -208,7 +202,7 @@ describe('Threat Monitoring actions', () => { ...@@ -208,7 +202,7 @@ describe('Threat Monitoring actions', () => {
describe('setCurrentEnvironmentId', () => { describe('setCurrentEnvironmentId', () => {
const environmentId = 1; const environmentId = 1;
it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF and Network Policy fetch actions', () => it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF, Network Policy statistics fetch actions and policy fetch action', () =>
testAction( testAction(
actions.setCurrentEnvironmentId, actions.setCurrentEnvironmentId,
environmentId, environmentId,
...@@ -216,26 +210,13 @@ describe('Threat Monitoring actions', () => { ...@@ -216,26 +210,13 @@ describe('Threat Monitoring actions', () => {
[{ type: types.SET_CURRENT_ENVIRONMENT_ID, payload: environmentId }], [{ type: types.SET_CURRENT_ENVIRONMENT_ID, payload: environmentId }],
[ [
{ type: 'threatMonitoringWaf/fetchStatistics', payload: null }, { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
{ type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null }, {
type: 'threatMonitoringNetworkPolicy/fetchStatistics',
payload: null,
},
{ type: 'networkPolicies/fetchPolicies', payload: environmentId },
], ],
)); ));
describe('given the networkPolicyManagement feature flag is enabled', () => {
stubFeatureFlags({ networkPolicyManagement: true });
it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF, Network Policy statistics fetch actions and policy fetch action', () =>
testAction(
actions.setCurrentEnvironmentId,
environmentId,
state,
[{ type: types.SET_CURRENT_ENVIRONMENT_ID, payload: environmentId }],
[
{ type: 'threatMonitoringWaf/fetchStatistics', payload: null },
{ type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
{ type: 'networkPolicies/fetchPolicies', payload: environmentId },
],
));
});
}); });
describe('setCurrentTimeWindow', () => { describe('setCurrentTimeWindow', () => {
...@@ -249,7 +230,10 @@ describe('Threat Monitoring actions', () => { ...@@ -249,7 +230,10 @@ describe('Threat Monitoring actions', () => {
[{ type: types.SET_CURRENT_TIME_WINDOW, payload: timeWindow.name }], [{ type: types.SET_CURRENT_TIME_WINDOW, payload: timeWindow.name }],
[ [
{ type: 'threatMonitoringWaf/fetchStatistics', payload: null }, { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
{ type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null }, {
type: 'threatMonitoringNetworkPolicy/fetchStatistics',
payload: null,
},
], ],
)); ));
}); });
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment