Skip to content

Cluster NetworkPolicy statistics

Problem to solve

Users will be using NetworkPolicy objects in their cluster to restrict access and ensure resources aren't being abused, but it is difficult to view the status of what is happening, what has happened, and if any potential/actual abusive activity was blocked or logged.

Intended users

Further details

Today, users will only be able to see the logs of their cluster and what has been blocked and/or logged if they use a terminal to connect directly to the cluster and look at Pod logs. While this is doable, it is difficult, time-consuming, and could be an overload of information. It also means users will have to leave GitLab to find this information.

Proposal

  • Add a new area for Container Network Policies on the Threat Monitoring page
  • Create an identifiable separation between CNP statistics and WAF statistics for the user
  • Display packet activity statistics to the user in the Container Network Policy section of the Threat Monitoring page.
  • Blue info icon next to Threat Monitoring page title should now take the user to the documentation where they can either see info for both the WAF and CNP or where they can easily navigate to that info.
  • Remove blue alert banner seen here.

Experience

MVC version: CnP statistics
Network-policy-MVC

Edge cases:

No WAF data No Cilium data No Environments
No-WAF-Connenction No-CNP-Connenction No-env
WAF_Empty_state CNP_Empty_state Page-empty_state

Details:

(?) icon hoverstate (all instances)
Hoverstate_for_docs_icons
"view documentation"
Data

We want to show statistics about packets for this first iteration. Specifically:

Counts (above the chart)

  • Dropped packets as a % of total packets for the filtered timeframe)
  • # Total packets (for the filtered timeframe)

Chart

  • Total packets (for the filtered timeframe)
  • Dropped packets as a percent of the total (for the filtered timeframe)

The filtered timeframe is the Show last filter the user can apply.

Minimal

  1. Create a screen on the Security & Compliance menu to display traffic processed by Cilium
    • Proposal to largely mirror the interfaces used for the WAF
    • Place behind disabled-by-default network_policy_ui feature flag.
  2. Display overarching statistics, such as number and percentage of traffic that has been blocked

Next

  1. Create a Finding object every time a piece of traffic is blocked due to a NetworkPolicy object restriction (will be covered in its own issues, not this one)

Permissions and Security

Permissions should match those required by the Security Dashboard

Documentation

Testing

What does success look like, and how can we measure that?

What is the type of buyer?

GitLab Ultimate

Links / references

Edited by Andy Volpe