Skip to content

Users cannot update a Container Policy's name

Summary

Once a container policy has been created, a user cannot update the policy's name

Steps to reproduce

  1. Follow the Protect Onboarding task to be able to create network policies in kubernetes/cilium
  2. Navigate to Security & Compliance => Policies
  3. Create a new container (network) policy
  4. Select the policy and click Edit policy in the sidebar
  5. Modify the name and click Save policy
  6. View the policy in the policies list

Example Project

https://staging.gitlab.com/defend-team-test/cnp-alert-demo/-/security/policies

What is the current bug behavior?

The policy's name is NOT updated

What is the expected correct behavior?

The policy's name is updated

Relevant logs and/or screenshots

Page Screenshot
gif cannot_update_container_policy_name
Request Headers Screen_Shot_2021-08-31_at_3.21.52_PM
Request Data Screen_Shot_2021-08-31_at_3.21.56_PM
Request Response Screen_Shot_2021-08-31_at_3.22.08_PM

Possible fixes

  • backend Update NetworkPolicies::DeployResourceService to delete and re-create the policy when the name is updated
diff --git a/ee/app/services/network_policies/deploy_resource_service.rb b/ee/app/services/network_policies/deploy_resource_service.rb
index 769ede025dd..d85292f17da 100644
--- a/ee/app/services/network_policies/deploy_resource_service.rb
+++ b/ee/app/services/network_policies/deploy_resource_service.rb
@@ -36,7 +36,6 @@ def execute
     def setup_resource
       @resource = policy.generate
       resource[:metadata][:namespace] = kubernetes_namespace
-      resource[:metadata][:name] = resource_name if resource_name
     end
 
     def load_policy_from_resource
@@ -57,7 +56,13 @@ def deploy_resource
 
     def deploy_cilium_network_policy
       if resource_name
-        platform.kubeclient.update_cilium_network_policy(resource)
+        if resource_name != resource[:metadata][:name]
+          platform.kubeclient.delete_cilium_network_policy(resource_name, kubernetes_namespace)
+          resource[:metadata][:resourceVersion] = nil
+          platform.kubeclient.create_cilium_network_policy(resource)
+        else
+          platform.kubeclient.update_cilium_network_policy(resource)
+        end
       else
         platform.kubeclient.create_cilium_network_policy(resource)
       end
Edited by Sashi Kumar Kumaresan