Merge branch 'network-policy-editor-feature-flag' into 'master'

Network policy editor feature flag See merge request gitlab-org/gitlab!41949

Merge branch 'network-policy-editor-feature-flag' into 'master'
Network policy editor feature flag See merge request gitlab-org/gitlab!41949
8787a3c4 · Sean McGivern · 6409be6a · ec560eae · 8787a3c4 · 8787a3c4
Commit 8787a3c4 authored Sep 16, 2020 by Sean McGivern
7 changed files
--- a/doc/user/application_security/threat_monitoring/index.md
+++ b/doc/user/application_security/threat_monitoring/index.md
@@ -88,8 +88,9 @@ investigate it for potential threats by

 The **Threat Monitoring** page's **Policy** tab displays deployed
 network policies for all available environments. You can check a
-network policy's `yaml` manifest and toggle the policy's enforcement
-status. This section has the following prerequisites:
+network policy's `yaml` manifest, toggle the policy's enforcement
+status, and create and edit deployed policies. This section has the
+following prerequisites:

 - Your project contains at least one [environment](../../../ci/environments/index.md)
 - You've [installed Cilium](../../clusters/applications.md#install-cilium-using-gitlab-cicd)
@@ -124,3 +125,47 @@ Disabled network policies have the
 `podSelector` block. This narrows the scope of such a policy and as a
 result it doesn't affect any pods. The policy itself is still deployed
 to the corresponding deployment namespace.
+
+### Container Network Policy editor
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3403) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.4.
+
+The policy editor allows you to create, edit, and delete policies. To
+create a new policy click the **New policy** button located in the
+**Policy** tab's header. To edit an existing policy, click**Edit
+policy** in the selected policy drawer.
+
+NOTE: **Note:**
+The policy editor only supports the
+[CiliumNetworkPolicy](https://docs.cilium.io/en/v1.8/policy/)specification. Regular
+Kubernetes
+[NetworkPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#networkpolicy-v1-networking-k8s-io)
+resources aren't supported.
+
+The policy editor has two modes:
+
+- The visual _Rule_ mode allows you to construct and preview policy
+  rules using rule blocks and related controls.
+- YAML mode allows you to enter a policy definition in `.yaml` format
+  and is aimed at expert users and cases that the Rule mode doesn't
+  support.
+
+You can use both modes interchangeably and switch between them at any
+time. If a YAML resource is incorrect, Rule mode is automatically
+disabled. You must use YAML mode to fix your policy before Rule mode
+is available again.
+
+Rule mode supports the following rule types:
+
+- [Labels](https://docs.cilium.io/en/v1.8/policy/language/#labels-based).
+- [Entities](https://docs.cilium.io/en/v1.8/policy/language/#entities-based).
+- [IP/CIDR](https://docs.cilium.io/en/v1.8/policy/language/#ip-cidr-based). Only
+  the `toCIDR` block without `except` is supported.
+- [DNS](https://docs.cilium.io/en/v1.8/policy/language/#dns-based).
+- [Level 4](https://docs.cilium.io/en/v1.8/policy/language/#layer-4-examples)
+  can be added to all other rules.
+
+Once your policy is complete, save it by pressing the **Save policy**
+button at the bottom of the editor. Existing policies can also be
+removed from the editor interface by clicking the **Delete policy**
+button at the bottom of the editor.
--- a/ee/app/assets/javascripts/threat_monitoring/components/network_policy_list.vue
+++ b/ee/app/assets/javascripts/threat_monitoring/components/network_policy_list.vue
@@ -18,8 +18,6 @@ import NetworkPolicyEditor from './network_policy_editor.vue';
 import PolicyDrawer from './policy_editor/policy_drawer.vue';
 import { CiliumNetworkPolicyKind } from './policy_editor/constants';

-import glFeatureFlagsMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
-
 export default {
  components: {
    GlTable,
@@ -34,7 +32,6 @@ export default {
    NetworkPolicyEditor,
    PolicyDrawer,
  },
-  mixins: [glFeatureFlagsMixin()],
  props: {
    documentationPath: {
      type: String,
@@ -80,14 +77,10 @@ export default {
        : false;
    },
    shouldShowCiliumDrawer() {
-      return this.glFeatures.networkPolicyEditor && this.hasCiliumSelectedPolicy;
+      return this.hasCiliumSelectedPolicy;
    },
    shouldShowEditButton() {
-      return (
-        this.glFeatures.networkPolicyEditor &&
-        this.hasCiliumSelectedPolicy &&
-        Boolean(this.selectedPolicy.creationTimestamp)
-      );
+      return this.hasCiliumSelectedPolicy && Boolean(this.selectedPolicy.creationTimestamp);
    },
    editPolicyPath() {
      return this.hasSelectedPolicy
@@ -184,7 +177,7 @@ export default {
    <div class="pt-3 px-3 bg-gray-light">
      <div class="row justify-content-between align-items-center">
        <environment-picker ref="environmentsPicker" />
-        <div v-if="glFeatures.networkPolicyEditor" class="col-sm-auto">
+        <div class="col-sm-auto">
          <gl-button
            category="secondary"
            variant="info"

--- a/ee/app/controllers/projects/threat_monitoring_controller.rb
+++ b/ee/app/controllers/projects/threat_monitoring_controller.rb
@@ -3,10 +3,6 @@
 module Projects
  class ThreatMonitoringController < Projects::ApplicationController
    before_action :authorize_read_threat_monitoring!
-    before_action :verify_network_policy_editor_flag!, only: [:new, :edit]
-    before_action do
-      push_frontend_feature_flag(:network_policy_editor, project)
-    end

    def edit
      @environment = project.environments.find(params[:environment_id])
@@ -23,11 +19,5 @@ module Projects
        render_404
      end
    end
-
-    private
-
-    def verify_network_policy_editor_flag!
-      render_404 unless Feature.enabled?(:network_policy_editor, project, default_enabled: false)
-    end
  end
 end
--- a/ee/changelogs/unreleased/network-policy-editor-feature-flag.yml
+++ b/ee/changelogs/unreleased/network-policy-editor-feature-flag.yml
+---
+title: Add policy editor to the Threat Monitoring page
+merge_request: 41949
+author:
+type: added
--- a/ee/spec/controllers/projects/threat_monitoring_controller_spec.rb
+++ b/ee/spec/controllers/projects/threat_monitoring_controller_spec.rb
@@ -83,23 +83,6 @@ RSpec.describe Projects::ThreatMonitoringController do
          stub_licensed_features(threat_monitoring: true)
        end

-        context 'and feature flag is disabled' do
-          before do
-            stub_feature_flags(network_policy_editor: false)
-          end
-
-          it 'returns 404' do
-            subject
-
-            expect(response).to have_gitlab_http_status(:not_found)
-          end
-        end
-
-        context 'and feature flag is enabled' do
-          before do
-            stub_feature_flags(network_policy_editor: true)
-          end
-
        it 'renders the new template' do
          subject

@@ -107,7 +90,6 @@ RSpec.describe Projects::ThreatMonitoringController do
          expect(response).to render_template(:new)
        end
      end
-      end

      context 'when feature is not available' do
        before do
@@ -165,23 +147,6 @@ RSpec.describe Projects::ThreatMonitoringController do
      end

      context 'when feature is available' do
-        before do
-          stub_licensed_features(threat_monitoring: true)
-        end
-
-        context 'and feature flag is disabled' do
-          before do
-            stub_feature_flags(network_policy_editor: false)
-          end
-
-          it 'returns 404' do
-            subject
-
-            expect(response).to have_gitlab_http_status(:not_found)
-          end
-        end
-
-        context 'and feature flag is enabled' do
        let(:service) { instance_double('NetworkPolicies::FindResourceService', execute: ServiceResponse.success(payload: policy)) }
        let(:policy) do
          Gitlab::Kubernetes::CiliumNetworkPolicy.new(
@@ -193,7 +158,8 @@ RSpec.describe Projects::ThreatMonitoringController do
        end

        before do
-            stub_feature_flags(network_policy_editor: true)
+          stub_licensed_features(threat_monitoring: true)
+
          allow(NetworkPolicies::FindResourceService).to(
            receive(:new)
              .with(resource_name: 'policy', environment: environment, kind: Gitlab::Kubernetes::CiliumNetworkPolicy::KIND)
@@ -228,7 +194,6 @@ RSpec.describe Projects::ThreatMonitoringController do
          end
        end
      end
-      end

      context 'when feature is not available' do
        before do

--- a/ee/spec/frontend/threat_monitoring/components/__snapshots__/network_policy_list_spec.js.snap
+++ b/ee/spec/frontend/threat_monitoring/components/__snapshots__/network_policy_list_spec.js.snap
@@ -6,10 +6,10 @@ exports[`NetworkPolicyList component renders policies table 1`] = `
 <table
  aria-busy="false"
  aria-colcount="3"
-  aria-describedby="__BVID__529__caption_"
+  aria-describedby="__BVID__341__caption_"
  aria-multiselectable="false"
  class="table b-table gl-table table-hover b-table-stacked-md b-table-selectable b-table-select-single"
-  id="__BVID__529"
+  id="__BVID__341"
  role="table"
 >
  <!---->

--- a/ee/spec/frontend/threat_monitoring/components/network_policy_list_spec.js
+++ b/ee/spec/frontend/threat_monitoring/components/network_policy_list_spec.js
@@ -61,22 +61,6 @@ describe('NetworkPolicyList component', () => {
    expect(findEnvironmentsPicker().exists()).toBe(true);
  });

-  it('does not render the new policy button', () => {
-    const button = wrapper.find('[data-testid="new-policy"]');
-    expect(button.exists()).toBe(false);
-  });
-
-  describe('given the networkPolicyEditor feature flag is enabled', () => {
-    beforeEach(() => {
-      factory({
-        provide: {
-          glFeatures: {
-            networkPolicyEditor: true,
-          },
-        },
-      });
-    });
-
  it('renders the new policy button', () => {
    const button = wrapper.find('[data-testid="new-policy"]');
    expect(button.exists()).toBe(true);
@@ -90,19 +74,6 @@ describe('NetworkPolicyList component', () => {
    expect(wrapper.find('[data-testid="edit-button"]').exists()).toBe(false);
  });

-    describe('given there is a selected policy', () => {
-      beforeEach(() => {
-        factory({
-          provide: {
-            glFeatures: {
-              networkPolicyEditor: true,
-            },
-          },
-          data: () => ({ selectedPolicyName: 'policy' }),
-        });
-      });
-    });
-
  describe('given selected policy is a cilium policy', () => {
    const manifest = `apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
@@ -113,11 +84,6 @@ spec:

    beforeEach(() => {
      factory({
-          provide: {
-            glFeatures: {
-              networkPolicyEditor: true,
-            },
-          },
        data: () => ({ selectedPolicyName: 'policy' }),
        state: {
          policies: [
@@ -141,7 +107,6 @@ spec:
      expect(button.attributes().href).toBe('/policies/policy/edit?environment_id=-1');
    });
  });
-  });

  it('renders policies table', () => {
    expect(findPoliciesTable().element).toMatchSnapshot();