Merge branch 'network-policy-management-docs' into 'master'

Remove network_policy_management feature flag See merge request gitlab-org/gitlab!33667

Merge branch 'network-policy-management-docs' into 'master'
Remove network_policy_management feature flag See merge request gitlab-org/gitlab!33667
3d16fa67 · Mark Florian · 154d745d · 635da1a2 · 3d16fa67 · 3d16fa67
Commit 3d16fa67 authored Jun 08, 2020 by Mark Florian
8 changed files
--- a/doc/user/application_security/threat_monitoring/index.md
+++ b/doc/user/application_security/threat_monitoring/index.md
@@ -9,9 +9,10 @@ info: To determine the technical writer assigned to the Stage/Group associated w

 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14707) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.

-The **Threat Monitoring** page provides metrics for the GitLab
-application runtime security features. You can access these metrics by
-navigating to your project's **Security & Compliance > Threat Monitoring** page.
+The **Threat Monitoring** page provides metrics and policy management
+for the GitLab application runtime security features. You can access
+these by navigating to your project's **Security & Compliance > Threat
+Monitoring** page.

 GitLab supports statistics for the following security features:

@@ -77,3 +78,41 @@ about your packet flow:
 If a significant percentage of packets is dropped, you should
 investigate it for potential threats by
 [examining the Cilium logs](../../clusters/applications.md#install-cilium-using-gitlab-cicd).
+
+## Container Network Policy management
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3328) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1.
+
+The **Threat Monitoring** page's **Policy** tab displays deployed
+network policies for all available environments. You can check a
+network policy's `yaml` manifest and toggle the policy's enforcement
+status. This section has the following prerequisites:
+
+- Your project contains at least one [environment](../../../ci/environments/index.md)
+- You've [installed Cilium](../../clusters/applications.md#install-cilium-using-gitlab-cicd)
+
+Network policies are fetched directly from the selected environment's
+deployment platform. Changes performed outside of this tab are
+reflected upon refresh. Enforcement status changes are deployed
+directly to a deployment namespace of the selected environment.
+
+NOTE: **Note:**
+If you're using [Auto DevOps](../../../topics/autodevops/index.md) and
+change a policy in this section, your `auto-deploy-values.yaml` file
+doesn't update. Auto DevOps users must make changes by following
+the [Container Network Policy documentation](../../../topics/autodevops/stages.md#network-policy).
+
+### Changing enforcement status
+
+To change a network policy's enforcement status:
+
+- Click the network policy you want to update.
+- Click the **Enforcement status** toggle to update the selected policy.
+- Click the **Apply changes** button to deploy network policy changes.
+
+NOTE: **Note:**
+Disabled network policies have the
+`network-policy.gitlab.com/disabled_by: gitlab` selector inside the
+`podSelector` block. This narrows the scope of such a policy and as a
+result it doesn't affect any pods. The policy itself is still deployed
+to the corresponding deployment namespace.
--- a/ee/app/assets/javascripts/threat_monitoring/components/app.vue
+++ b/ee/app/assets/javascripts/threat_monitoring/components/app.vue
@@ -3,7 +3,6 @@ import { mapActions } from 'vuex';
 import { GlAlert, GlEmptyState, GlIcon, GlLink, GlPopover, GlTabs, GlTab } from '@gitlab/ui';
 import { s__ } from '~/locale';
 import axios from '~/lib/utils/axios_utils';
-import glFeatureFlagsMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
 import ThreatMonitoringFilters from './threat_monitoring_filters.vue';
 import ThreatMonitoringSection from './threat_monitoring_section.vue';
 import NetworkPolicyList from './network_policy_list.vue';
@@ -22,7 +21,6 @@ export default {
    ThreatMonitoringSection,
    NetworkPolicyList,
  },
-  mixins: [glFeatureFlagsMixin()],
  props: {
    defaultEnvironmentId: {
      type: Number,
@@ -194,11 +192,7 @@ export default {
          documentation-anchor="container-network-policy"
        />
      </gl-tab>
-      <gl-tab
-        v-if="glFeatures.networkPolicyManagement"
-        ref="networkPolicyTab"
-        :title="s__('ThreatMonitoring|Policies')"
-      >
+      <gl-tab ref="networkPolicyTab" :title="s__('ThreatMonitoring|Policies')">
        <network-policy-list :documentation-path="documentationPath" />
      </gl-tab>
    </gl-tabs>

--- a/ee/app/assets/javascripts/threat_monitoring/store/modules/threat_monitoring/actions.js
+++ b/ee/app/assets/javascripts/threat_monitoring/store/modules/threat_monitoring/actions.js
@@ -57,14 +57,16 @@ export const fetchEnvironments = ({ state, dispatch }) => {
 export const setCurrentEnvironmentId = ({ commit, dispatch }, environmentId) => {
  commit(types.SET_CURRENT_ENVIRONMENT_ID, environmentId);
  dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true });
-  dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
-  if (window.gon.features?.networkPolicyManagement) {
+  dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, {
+    root: true,
+  });
  dispatch(`networkPolicies/fetchPolicies`, environmentId, { root: true });
-  }
 };

 export const setCurrentTimeWindow = ({ commit, dispatch }, timeWindow) => {
  commit(types.SET_CURRENT_TIME_WINDOW, timeWindow.name);
  dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true });
-  dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
+  dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, {
+    root: true,
+  });
 };
--- a/ee/app/controllers/projects/threat_monitoring_controller.rb
+++ b/ee/app/controllers/projects/threat_monitoring_controller.rb
@@ -3,8 +3,5 @@
 module Projects
  class ThreatMonitoringController < Projects::ApplicationController
    before_action :authorize_read_threat_monitoring!
-    before_action only: [:show] do
-      push_frontend_feature_flag(:network_policy_management)
-    end
  end
 end
--- a/ee/changelogs/unreleased/network-policy-management-docs.yml
+++ b/ee/changelogs/unreleased/network-policy-management-docs.yml
+---
+title: Add Network Policy Management to the Threat Monitoring page
+merge_request: 33667
+author:
+type: added
--- a/ee/spec/frontend/threat_monitoring/components/__snapshots__/app_spec.js.snap
+++ b/ee/spec/frontend/threat_monitoring/components/__snapshots__/app_spec.js.snap
 // Jest Snapshot v1, https://goo.gl/fbAQLP

-exports[`ThreatMonitoringApp component given there is a default environment with data given the networkPolicyManagement feature flag is enabled renders the network policy tab 1`] = `
-<gl-tab-stub
-  title="Policies"
->
-  <network-policy-list-stub
-    documentationpath="/docs"
-  />
-</gl-tab-stub>
-`;
-
 exports[`ThreatMonitoringApp component given there is a default environment with data renders the network policy section 1`] = `
 <threat-monitoring-section-stub
  anomaloustitle="Dropped Packets"
@@ -26,6 +16,16 @@ exports[`ThreatMonitoringApp component given there is a default environment with
 />
 `;

+exports[`ThreatMonitoringApp component given there is a default environment with data renders the network policy tab 1`] = `
+<gl-tab-stub
+  title="Policies"
+>
+  <network-policy-list-stub
+    documentationpath="/docs"
+  />
+</gl-tab-stub>
+`;
+
 exports[`ThreatMonitoringApp component given there is a default environment with data renders the waf section 1`] = `
 <threat-monitoring-section-stub
  anomaloustitle="Anomalous Requests"

--- a/ee/spec/frontend/threat_monitoring/components/app_spec.js
+++ b/ee/spec/frontend/threat_monitoring/components/app_spec.js
@@ -118,27 +118,9 @@ describe('ThreatMonitoringApp component', () => {
      expect(findNetworkPolicySection().element).toMatchSnapshot();
    });

-    it('does not render the network policy tab', () => {
-      expect(findNetworkPolicyTab().exists()).toBe(false);
-    });
-
-    describe('given the networkPolicyManagement feature flag is enabled', () => {
-      beforeEach(() => {
-        factory({
-          options: {
-            provide: {
-              glFeatures: {
-                networkPolicyManagement: true,
-              },
-            },
-          },
-        });
-      });
-
    it('renders the network policy tab', () => {
      expect(findNetworkPolicyTab().element).toMatchSnapshot();
    });
-    });

    describe('dismissing the alert', () => {
      let mockAxios;

--- a/ee/spec/frontend/threat_monitoring/store/modules/threat_monitoring/actions_spec.js
+++ b/ee/spec/frontend/threat_monitoring/store/modules/threat_monitoring/actions_spec.js
@@ -16,16 +16,6 @@ const environmentsEndpoint = 'environmentsEndpoint';
 const wafStatisticsEndpoint = 'wafStatisticsEndpoint';
 const networkPolicyStatisticsEndpoint = 'networkPolicyStatisticsEndpoint';

-const stubFeatureFlags = features => {
-  beforeEach(() => {
-    window.gon.features = features;
-  });
-
-  afterEach(() => {
-    delete window.gon.features;
-  });
-};
-
 describe('Threat Monitoring actions', () => {
  let state;

@@ -41,7 +31,11 @@ describe('Threat Monitoring actions', () => {
    it('commits the SET_ENDPOINT mutation', () =>
      testAction(
        actions.setEndpoints,
-        { environmentsEndpoint, wafStatisticsEndpoint, networkPolicyStatisticsEndpoint },
+        {
+          environmentsEndpoint,
+          wafStatisticsEndpoint,
+          networkPolicyStatisticsEndpoint,
+        },
        state,
        [
          {
@@ -208,21 +202,6 @@ describe('Threat Monitoring actions', () => {
  describe('setCurrentEnvironmentId', () => {
    const environmentId = 1;

-    it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF and Network Policy fetch actions', () =>
-      testAction(
-        actions.setCurrentEnvironmentId,
-        environmentId,
-        state,
-        [{ type: types.SET_CURRENT_ENVIRONMENT_ID, payload: environmentId }],
-        [
-          { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
-          { type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
-        ],
-      ));
-
-    describe('given the networkPolicyManagement feature flag is enabled', () => {
-      stubFeatureFlags({ networkPolicyManagement: true });
-
    it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF, Network Policy statistics fetch actions and policy fetch action', () =>
      testAction(
        actions.setCurrentEnvironmentId,
@@ -231,12 +210,14 @@ describe('Threat Monitoring actions', () => {
        [{ type: types.SET_CURRENT_ENVIRONMENT_ID, payload: environmentId }],
        [
          { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
-            { type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
+          {
+            type: 'threatMonitoringNetworkPolicy/fetchStatistics',
+            payload: null,
+          },
          { type: 'networkPolicies/fetchPolicies', payload: environmentId },
        ],
      ));
  });
-  });

  describe('setCurrentTimeWindow', () => {
    const timeWindow = { name: 'foo' };
@@ -249,7 +230,10 @@ describe('Threat Monitoring actions', () => {
        [{ type: types.SET_CURRENT_TIME_WINDOW, payload: timeWindow.name }],
        [
          { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
-          { type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
+          {
+            type: 'threatMonitoringNetworkPolicy/fetchStatistics',
+            payload: null,
+          },
        ],
      ));
  });