Commit 0d8c98d6 authored by Robert Speicher's avatar Robert Speicher

Merge branch '32365-network-policy-docs' into 'master'

Enable NetworkPolicy statistics by default

Closes #32365

See merge request gitlab-org/gitlab!27365
parents 68110a08 92dd2747
......@@ -13,6 +13,7 @@ navigating to your project's **Security & Compliance > Threat Monitoring** page.
GitLab supports statistics for the following security features:
- [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity)
- [Container Network Policies](../../../topics/autodevops/index.md#network-policy)
## Web Application Firewall
......@@ -38,3 +39,38 @@ about your Ingress traffic:
If a significant percentage of traffic is anomalous, you should
investigate it for potential threats by
[examining the application logs](../../clusters/applications.md#web-application-firewall-modsecurity).
## Container Network Policy
> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/32365) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
The **Container Network Policy** section provides packet flow metrics for
your application's Kubernetes namespace. This section has the following
prerequisites:
- Your project contains at least one [environment](../../../ci/environments.md)
- You've [installed Cilium](../../clusters/applications.md#install-cilium-using-gitlab-cicd)
- You've configured the [Prometheus service](../../project/integrations/prometheus.md#enabling-prometheus-integration)
If you're using custom Helm values for Cilium, you must enable Hubble
with flow metrics for each namespace by adding the following lines to
your [Hubble values](../../clusters/applications.md#install-cilium-using-gitlab-cicd):
```yaml
metrics:
enabled:
- 'flow:sourceContext=namespace;destinationContext=namespace'
```
The **Container Network Policy** section displays the following information
about your packet flow:
- The total amount of the inbound and outbound packets
- The proportion of packets dropped according to the configured
policies
- The per-second average rate of the forwarded and dropped packets
accumulated over time window for the requested time interval
If a significant percentage of packets is dropped, you should
investigate it for potential threats by
[examining the Cilium logs](../../clusters/applications.md#install-cilium-using-gitlab-cicd).
......@@ -825,6 +825,28 @@ agent:
enabled: false
```
The [Hubble](https://github.com/cilium/hubble) monitoring daemon is
enabled by default and it's set to collect per namespace flow
metrics. This metrics are accessible on the [Threat Monitoring](../application_security/threat_monitoring/index.md)
dashboard. You can disable Hubble by adding the following to
`.gitlab/managed-apps/config.yaml`:
```yaml
cilium:
installed: true
hubble:
installed: false
```
You can also adjust Helm values for Hubble via
`.gitlab/managed-apps/cilium/hubble-values.yaml`:
```yaml
metrics:
enabled:
- 'flow:sourceContext=namespace;destinationContext=namespace'
```
### Install Vault using GitLab CI/CD
> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/9982) in GitLab 12.9.
......
......@@ -171,7 +171,6 @@ export default {
documentation-anchor="web-application-firewall"
/>
<template v-if="glFeatures.networkPolicyUi">
<hr />
<threat-monitoring-section
......@@ -188,6 +187,5 @@ export default {
:documentation-path="documentationPath"
documentation-anchor="container-network-policy"
/>
</template>
</section>
</template>
......@@ -57,17 +57,11 @@ export const fetchEnvironments = ({ state, dispatch }) => {
export const setCurrentEnvironmentId = ({ commit, dispatch }, environmentId) => {
commit(types.SET_CURRENT_ENVIRONMENT_ID, environmentId);
dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true });
if (window.gon.features?.networkPolicyUi) {
dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
}
};
export const setCurrentTimeWindow = ({ commit, dispatch }, timeWindow) => {
commit(types.SET_CURRENT_TIME_WINDOW, timeWindow.name);
dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true });
if (window.gon.features?.networkPolicyUi) {
dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
}
};
......@@ -3,9 +3,5 @@
module Projects
class ThreatMonitoringController < Projects::ApplicationController
before_action :authorize_read_threat_monitoring!
before_action only: [:show] do
push_frontend_feature_flag(:network_policy_ui)
end
end
end
---
title: Enable NetworkPolicy Statistics by default
merge_request: 27365
author:
type: added
// Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`ThreatMonitoringApp component given there is a default environment with data given the networkPolicyUi feature flag is enabled renders the network policy section 1`] = `
exports[`ThreatMonitoringApp component given there is a default environment with data renders the network policy section 1`] = `
<threat-monitoring-section-stub
anomaloustitle="Dropped Packets"
chartemptystatesvgpath="/network-policy-no-data-svg"
......
......@@ -112,27 +112,9 @@ describe('ThreatMonitoringApp component', () => {
expect(findWafSection().element).toMatchSnapshot();
});
it('does not render the network policy section', () => {
expect(findNetworkPolicySection().exists()).toBe(false);
});
describe('given the networkPolicyUi feature flag is enabled', () => {
beforeEach(() => {
factory({
options: {
provide: {
glFeatures: {
networkPolicyUi: true,
},
},
},
});
});
it('renders the network policy section', () => {
expect(findNetworkPolicySection().element).toMatchSnapshot();
});
});
describe('dismissing the alert', () => {
let mockAxios;
......
......@@ -16,16 +16,6 @@ const environmentsEndpoint = 'environmentsEndpoint';
const wafStatisticsEndpoint = 'wafStatisticsEndpoint';
const networkPolicyStatisticsEndpoint = 'networkPolicyStatisticsEndpoint';
const stubFeatureFlags = features => {
beforeEach(() => {
window.gon.features = features;
});
afterEach(() => {
delete window.gon.features;
});
};
describe('Threat Monitoring actions', () => {
let state;
......@@ -208,18 +198,6 @@ describe('Threat Monitoring actions', () => {
describe('setCurrentEnvironmentId', () => {
const environmentId = 1;
it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF fetch action', () =>
testAction(
actions.setCurrentEnvironmentId,
environmentId,
state,
[{ type: types.SET_CURRENT_ENVIRONMENT_ID, payload: environmentId }],
[{ type: 'threatMonitoringWaf/fetchStatistics', payload: null }],
));
describe('given the networkPolicyUi feature flag is enabled', () => {
stubFeatureFlags({ networkPolicyUi: true });
it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF and Network Policy fetch actions', () =>
testAction(
actions.setCurrentEnvironmentId,
......@@ -232,23 +210,10 @@ describe('Threat Monitoring actions', () => {
],
));
});
});
describe('setCurrentTimeWindow', () => {
const timeWindow = { name: 'foo' };
it('commits the SET_CURRENT_TIME_WINDOW mutation and dispatches WAF fetch action', () =>
testAction(
actions.setCurrentTimeWindow,
timeWindow,
state,
[{ type: types.SET_CURRENT_TIME_WINDOW, payload: timeWindow.name }],
[{ type: 'threatMonitoringWaf/fetchStatistics', payload: null }],
));
describe('given the networkPolicyUi feature flag is enabled', () => {
stubFeatureFlags({ networkPolicyUi: true });
it('commits the SET_CURRENT_TIME_WINDOW mutation and dispatches WAF and Network Policy fetch actions', () =>
testAction(
actions.setCurrentTimeWindow,
......@@ -261,5 +226,4 @@ describe('Threat Monitoring actions', () => {
],
));
});
});
});
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment