Merge branch '32365-network-policy-docs' into 'master'

Enable NetworkPolicy statistics by default Closes #32365 See merge request gitlab-org/gitlab!27365

Merge branch '32365-network-policy-docs' into 'master'
Enable NetworkPolicy statistics by default Closes #32365 See merge request gitlab-org/gitlab!27365
0d8c98d6 · Robert Speicher · 68110a08 · 92dd2747 · 0d8c98d6 · 0d8c98d6
Commit 0d8c98d6 authored Apr 06, 2020 by Robert Speicher
9 changed files
--- a/doc/user/application_security/threat_monitoring/index.md
+++ b/doc/user/application_security/threat_monitoring/index.md
@@ -13,6 +13,7 @@ navigating to your project's **Security & Compliance > Threat Monitoring** page.
 GitLab supports statistics for the following security features:
 - [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity)
+- [Container Network Policies](../../../topics/autodevops/index.md#network-policy)
 ## Web Application Firewall
@@ -38,3 +39,38 @@ about your Ingress traffic:
 If a significant percentage of traffic is anomalous, you should
 investigate it for potential threats by
 [examining the application logs](../../clusters/applications.md#web-application-firewall-modsecurity).
+## Container Network Policy
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/32365) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
+The **Container Network Policy** section provides packet flow metrics for
+your application's Kubernetes namespace. This section has the following
+prerequisites:
+- Your project contains at least one [environment](../../../ci/environments.md)
+- You've [installed Cilium](../../clusters/applications.md#install-cilium-using-gitlab-cicd)
+- You've configured the [Prometheus service](../../project/integrations/prometheus.md#enabling-prometheus-integration)
+If you're using custom Helm values for Cilium, you must enable Hubble
+with flow metrics for each namespace by adding the following lines to
+your [Hubble values](../../clusters/applications.md#install-cilium-using-gitlab-cicd):
+```yaml
+metrics:
+  enabled:
+    - 'flow:sourceContext=namespace;destinationContext=namespace'
+```
+The **Container Network Policy** section displays the following information
+about your packet flow:
+- The total amount of the inbound and outbound packets
+- The proportion of packets dropped according to the configured
+  policies
+- The per-second average rate of the forwarded and dropped packets
+  accumulated over time window for the requested time interval
+If a significant percentage of packets is dropped, you should
+investigate it for potential threats by
+[examining the Cilium logs](../../clusters/applications.md#install-cilium-using-gitlab-cicd).
--- a/doc/user/clusters/applications.md
+++ b/doc/user/clusters/applications.md
@@ -825,6 +825,28 @@ agent:
    enabled: false
 ```
+The [Hubble](https://github.com/cilium/hubble) monitoring daemon is
+enabled by default and it's set to collect per namespace flow
+metrics. This metrics are accessible on the [Threat Monitoring](../application_security/threat_monitoring/index.md)
+dashboard. You can disable Hubble by adding the following to
+`.gitlab/managed-apps/config.yaml`:
+```yaml
+cilium:
+  installed: true
+  hubble:
+    installed: false
+```
+You can also adjust Helm values for Hubble via
+`.gitlab/managed-apps/cilium/hubble-values.yaml`:
+```yaml
+metrics:
+  enabled:
+    - 'flow:sourceContext=namespace;destinationContext=namespace'
+```
 ### Install Vault using GitLab CI/CD
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/9982) in GitLab 12.9.

--- a/ee/app/assets/javascripts/threat_monitoring/components/app.vue
+++ b/ee/app/assets/javascripts/threat_monitoring/components/app.vue
@@ -171,23 +171,21 @@ export default {
      documentation-anchor="web-application-firewall"
    />
-    <template v-if="glFeatures.networkPolicyUi">
+    <hr />
-      <hr />
-      <threat-monitoring-section
+    <threat-monitoring-section
-        ref="networkPolicySection"
+      ref="networkPolicySection"
-        store-namespace="threatMonitoringNetworkPolicy"
+      store-namespace="threatMonitoringNetworkPolicy"
-        :title="s__('ThreatMonitoring|Container Network Policy')"
+      :title="s__('ThreatMonitoring|Container Network Policy')"
-        :subtitle="s__('ThreatMonitoring|Packet Activity')"
+      :subtitle="s__('ThreatMonitoring|Packet Activity')"
-        :anomalous-title="s__('ThreatMonitoring|Dropped Packets')"
+      :anomalous-title="s__('ThreatMonitoring|Dropped Packets')"
-        :nominal-title="s__('ThreatMonitoring|Total Packets')"
+      :nominal-title="s__('ThreatMonitoring|Total Packets')"
-        :y-legend="s__('ThreatMonitoring|Operations Per Second')"
+      :y-legend="s__('ThreatMonitoring|Operations Per Second')"
-        :chart-empty-state-title="s__('ThreatMonitoring|Container NetworkPolicies not detected')"
+      :chart-empty-state-title="s__('ThreatMonitoring|Container NetworkPolicies not detected')"
-        :chart-empty-state-text="$options.networkPolicyChartEmptyStateDescription"
+      :chart-empty-state-text="$options.networkPolicyChartEmptyStateDescription"
-        :chart-empty-state-svg-path="networkPolicyNoDataSvgPath"
+      :chart-empty-state-svg-path="networkPolicyNoDataSvgPath"
-        :documentation-path="documentationPath"
+      :documentation-path="documentationPath"
-        documentation-anchor="container-network-policy"
+      documentation-anchor="container-network-policy"
-      />
+    />
-    </template>
  </section>
 </template>
--- a/ee/app/assets/javascripts/threat_monitoring/store/modules/threat_monitoring/actions.js
+++ b/ee/app/assets/javascripts/threat_monitoring/store/modules/threat_monitoring/actions.js
@@ -57,17 +57,11 @@ export const fetchEnvironments = ({ state, dispatch }) => {
 export const setCurrentEnvironmentId = ({ commit, dispatch }, environmentId) => {
  commit(types.SET_CURRENT_ENVIRONMENT_ID, environmentId);
  dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true });
+  dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
-  if (window.gon.features?.networkPolicyUi) {
-    dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
-  }
 };
 export const setCurrentTimeWindow = ({ commit, dispatch }, timeWindow) => {
  commit(types.SET_CURRENT_TIME_WINDOW, timeWindow.name);
  dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true });
+  dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
-  if (window.gon.features?.networkPolicyUi) {
-    dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
-  }
 };
--- a/ee/app/controllers/projects/threat_monitoring_controller.rb
+++ b/ee/app/controllers/projects/threat_monitoring_controller.rb
@@ -3,9 +3,5 @@
 module Projects
  class ThreatMonitoringController < Projects::ApplicationController
    before_action :authorize_read_threat_monitoring!
-    before_action only: [:show] do
-      push_frontend_feature_flag(:network_policy_ui)
-    end
  end
 end
--- a/ee/changelogs/unreleased/32365-network-policy-docs.yml
+++ b/ee/changelogs/unreleased/32365-network-policy-docs.yml
+---
+title: Enable NetworkPolicy Statistics by default
+merge_request: 27365
+author:
+type: added
--- a/ee/spec/frontend/threat_monitoring/components/__snapshots__/app_spec.js.snap
+++ b/ee/spec/frontend/threat_monitoring/components/__snapshots__/app_spec.js.snap
 // Jest Snapshot v1, https://goo.gl/fbAQLP
-exports[`ThreatMonitoringApp component given there is a default environment with data given the networkPolicyUi feature flag is enabled renders the network policy section 1`] = `
+exports[`ThreatMonitoringApp component given there is a default environment with data renders the network policy section 1`] = `
 <threat-monitoring-section-stub
  anomaloustitle="Dropped Packets"
  chartemptystatesvgpath="/network-policy-no-data-svg"

--- a/ee/spec/frontend/threat_monitoring/components/app_spec.js
+++ b/ee/spec/frontend/threat_monitoring/components/app_spec.js
@@ -112,26 +112,8 @@ describe('ThreatMonitoringApp component', () => {
      expect(findWafSection().element).toMatchSnapshot();
    });
-    it('does not render the network policy section', () => {
+    it('renders the network policy section', () => {
-      expect(findNetworkPolicySection().exists()).toBe(false);
+      expect(findNetworkPolicySection().element).toMatchSnapshot();
-    });
-    describe('given the networkPolicyUi feature flag is enabled', () => {
-      beforeEach(() => {
-        factory({
-          options: {
-            provide: {
-              glFeatures: {
-                networkPolicyUi: true,
-              },
-            },
-          },
-        });
-      });
-      it('renders the network policy section', () => {
-        expect(findNetworkPolicySection().element).toMatchSnapshot();
-      });
    });
    describe('dismissing the alert', () => {

--- a/ee/spec/frontend/threat_monitoring/store/modules/threat_monitoring/actions_spec.js
+++ b/ee/spec/frontend/threat_monitoring/store/modules/threat_monitoring/actions_spec.js
@@ -16,16 +16,6 @@ const environmentsEndpoint = 'environmentsEndpoint';
 const wafStatisticsEndpoint = 'wafStatisticsEndpoint';
 const networkPolicyStatisticsEndpoint = 'networkPolicyStatisticsEndpoint';
-const stubFeatureFlags = features => {
-  beforeEach(() => {
-    window.gon.features = features;
-  });
-  afterEach(() => {
-    delete window.gon.features;
-  });
-};
 describe('Threat Monitoring actions', () => {
  let state;
@@ -208,58 +198,32 @@ describe('Threat Monitoring actions', () => {
  describe('setCurrentEnvironmentId', () => {
    const environmentId = 1;
-    it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF fetch action', () =>
+    it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF and Network Policy fetch actions', () =>
      testAction(
        actions.setCurrentEnvironmentId,
        environmentId,
        state,
        [{ type: types.SET_CURRENT_ENVIRONMENT_ID, payload: environmentId }],
-        [{ type: 'threatMonitoringWaf/fetchStatistics', payload: null }],
+        [
+          { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
+          { type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
+        ],
      ));
-    describe('given the networkPolicyUi feature flag is enabled', () => {
-      stubFeatureFlags({ networkPolicyUi: true });
-      it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF and Network Policy fetch actions', () =>
-        testAction(
-          actions.setCurrentEnvironmentId,
-          environmentId,
-          state,
-          [{ type: types.SET_CURRENT_ENVIRONMENT_ID, payload: environmentId }],
-          [
-            { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
-            { type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
-          ],
-        ));
-    });
  });
  describe('setCurrentTimeWindow', () => {
    const timeWindow = { name: 'foo' };
-    it('commits the SET_CURRENT_TIME_WINDOW mutation and dispatches WAF fetch action', () =>
+    it('commits the SET_CURRENT_TIME_WINDOW mutation and dispatches WAF and Network Policy fetch actions', () =>
      testAction(
        actions.setCurrentTimeWindow,
        timeWindow,
        state,
        [{ type: types.SET_CURRENT_TIME_WINDOW, payload: timeWindow.name }],
-        [{ type: 'threatMonitoringWaf/fetchStatistics', payload: null }],
+        [
+          { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
+          { type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
+        ],
      ));
-    describe('given the networkPolicyUi feature flag is enabled', () => {
-      stubFeatureFlags({ networkPolicyUi: true });
-      it('commits the SET_CURRENT_TIME_WINDOW mutation and dispatches WAF and Network Policy fetch actions', () =>
-        testAction(
-          actions.setCurrentTimeWindow,
-          timeWindow,
-          state,
-          [{ type: types.SET_CURRENT_TIME_WINDOW, payload: timeWindow.name }],
-          [
-            { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
-            { type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
-          ],
-        ));
-    });
  });
 });