Skip to content

Show Container Network Policies on the Cluster Applications Page

Problem to solve

Container Network Security users need an easy way to turn Cilium on or off.

Although this setting can be changed currently, the current approaches have limitations:

  1. Editing a configuration file and redeploying an environment is time-consuming and not intuitive. This approach makes it difficult to have the feature on by default.
  2. Question: What other options are available to disable Cilium?

In the event that Cilium is causing performance or connectivity problems, the user needs to be able to disable Cilium quickly and easily on a per-environment basis in the GitLab UI.

Intended users

Further details

Although we hope that performance problems with Cilium will never happen or will be caught in testing, there is always a risk that a problem exists as Cilium interacts with customer-specific environments. There also is a risk that the customer has introduced a connectivity problem via the policies that they have configured. Being able to turn Cilium quickly helps to mitigate this risk. This is an MVC designed to help users quickly disable in the event of a problem.

Problems to be solved

  1. How to enable/disable Network Policies / Cilium will be discoverable by users in the GitLab UI
  2. Users will be able to quickly disable Cilium in the event that it is disrupting their production environment

Proposal

  1. Provide a GUI to allow users to view the installed/uninstalled state of Cilium
  2. Provide a link to documentation on installing/uninstalling Cilium from the UI

Design:

Cilium not enabled Cilium Enabled
Enable-Disable_CnP Disable_CnP_Installed
  • UI finalized
  • Interactions finalized
  • Text finalized
Old proposal

Design:

Screen_Shot_2020-04-16_at_11.34.08_AM

Changes and additions:

  • New page header
  • New section header for the existing secure features
    • Remove blue banner at the top of the page and use the banner copy as sub-text under the section header
  • New section for Monitoring & Response features
  • Add modsecurity list item
    • include mod security status
    • include a link to mod security GitLab docs
    • include a button that links to the managed apps page
  • Add Cilium list item
    • include cilium status
    • include a link to cilium GitLab docs
    • include a button that links to the cilium configuration section of GitLab docs

Note that if fetching the status is out of scope then remove the status column for the Monitoring & Response section only

Experience:

  1. When Cilium is turned on or off, if it is predicted to take <10 seconds, then we can just do a spinner. If it will take longer (measured in minutes) then we will likely want to inform them that it could take up to x minutes for the changes to take effect.

Permissions and Security

Users must be a Maintainer or Owner on the project. No additional permissions are required.

Documentation

  1. Documentation will be added to describe how to install/uninstall Cilium

What is the type of buyer?

GitLab Ultimate

Links / references

Edited by Sam White