Custom NetworkPolicy object support for clusters

Problem to solve

Once we have installed a default NetworkPolicy object as part of creating new clusters, users will need to be able to specify custom policies depending on their specific needs.

Intended users

• Sam (Security Analyst)
• Sidney (Systems Administrator)

Further details

Proposal

Allow users to define and supply custom NetworkPolicy objects for their cluster.

Minimal

1. Users have a way to provide a NetworkPolicy object manifest file that they themselves wrote and have it applied to their app's cluster.
   1. Proposal: Look for a file such as .gitlab-custom-networkpolicy.yml or similar in the repo and pick up the rules from there. Consider if there could be multiple files would be needed & this should be inside a directory.
2. Provide some visual representation to users that a custom NetworkPolicy object has been applied to their cluster.
   1. This is important to give users positive feedback that there intended changes have been applied or not.

Next

1. Create a graphical "wizard" rules editor.

Permissions and Security

Configuration should be restricted to users with write access to the repo.

Documentation

Documentation should be updated to describe how and where to place a custom NetworkPolicy object. It should also call out any unsupported capabilities in our implementation.

• Linking to the NetworkPolicy provider's full documentation could be helpful to prevent duplicating some content they have already created.

Testing

Testing of this capability should focus in several areas beyond our normal testing:

1. Multiple applications in the same cluster and ensuring that one's NetworkPolicy does not affect the other
2. Multiple branches of the same project with differing definitions for the custom NetworkPolicy object.

What does success look like, and how can we measure that?

Percentage of repos that use our NetworkPolicy support with a custom NetworkPolicy defined within 3 months. Target => 50%

• Adoption of our eligible users will show that this is solving a problem that they need solved.

What is the type of buyer?

GitLab Ultimate is required for this capability.

Links / references