MVC: Initial Security Policy UI
<!-- The first three sections: "Problem to solve", "Intended users" and "Proposal", are strongly recommended, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. --> ### Problem to solve <!-- What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)." --> Currently all policies for Container Security can only be managed in code. Currently several pain points exist due to the lack of a policy management UI: * Users who are not comfortable with editing configuration or yaml files are excluded from being able to use Container Security features * Code does not allow an easy way to scan a page and visualize which policies are enabled vs disabled * Users need to be able to disable a policy without deleting it ### Intended users <!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later. Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/ * [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager) * [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager) * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Presley (Product Designer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#presley-product-designer) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * [Dana (Data Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#dana-data-analyst) * [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#simone-software-engineer-in-test) * [Allison (Application Ops)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#allison-application-ops) --> This feature is targeted primarily at the Security team: * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) It may also be used by the DevOps team for smaller organizations that don't have a Security team: * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) ### Further details <!-- Include use cases, benefits, goals, or any other details that will help us understand the problem better. --> This is intended to be the Minimal Viable Change (MVC) toward a larger policy management portal. Eventually we will want to be able to provide audit trails, policy differentials, policy suggestions, and feedback on the performance and efficacy of the policies. To allow us to iterate quickly, rather than trying to build all the features at once, this issue is focused on delivering just the first piece of the longer-term solution. ### Proposal <!-- How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey --> For the first MVC, we will limit the policy page to just Container Network Policy (Cilium) management. 1. The policy management portal will allow users to do the following: 1. View policies that exist 1. View whether those policies are currently enabled or disabled 1. View all policies for the project or filter policies by environment 1. Enable and disable policies (we may need to contribute to the upstream project to add a setting for this) 1. Additionally a warning will be displayed for Auto-Devops users only to inform them that the will need to manually adjust the appropriate .yaml file in their repo to prevent their changes from being overwritten. ### Permissions and Security <!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)?--> Users must be an Owner or Maintainer on the project to access the policy configuration page. ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html * Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements * If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html --> * Documentation will be added to describe how to access and use the policy management page. * Documentation will be added to describe how to enable and disable policies on the policy management page. ### Availability & Testing <!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. * Unit test changes * Integration test changes * End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning --> * Verify that only owners and maintainers can access the policy page * Verify that adding a new policy directly via a kubectl command results in a new policy appearing in the policy UI * Verify that deleting a policy directly via a kubectl command results in the policy being removed from the policy UI * Verify that the enabled/disabled status shown in the UI matches what is shown in code * Verify that enabling/disabling a policy pack in the UI accurately changes the state of the policy pack in the production environment ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. --> ### What is the type of buyer? <!-- What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/ In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers --> This will be available for gitlab~3207279 ### Is this a cross-stage feature? <!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features --> ### Links / references * https://gitlab.com/gitlab-org/gitlab/-/issues/36500 ### Designs ![Overview_Tab](/uploads/610c83b1a98f1117eaac2eaef041cc6a/Overview_Tab.png) ![Policy_Tab_-_Auto_DevOps_Users](/uploads/b2586925fb8000010dd3afaeab911618/Policy_Tab_-_Auto_DevOps_Users.png) ![Policy_Tab_-_policy_change_-_failed](/uploads/ddcbd2867ca69af2c4494b2d20349b74/Policy_Tab_-_policy_change_-_failed.png) ![Policy_Tab_-_policy_change_-_success](/uploads/ce26b28f26b1af7f9d17d041445a2db3/Policy_Tab_-_policy_change_-_success.png) ![Policy_Tab_-_policy_change](/uploads/b32222963992f50d4ceaf77a27fbf371/Policy_Tab_-_policy_change.png) ![Policy_Tab_-_policy_selected](/uploads/cd327b68da5c2e8a4ce890fe2fd1ecd0/Policy_Tab_-_policy_selected.png) ![Policy_Tab](/uploads/3f480a04c46941f509c70df33bb3772a/Policy_Tab.png) This is a PARENT for the following two issues: * [ ] https://gitlab.com/gitlab-org/gitlab/-/issues/216072 * [ ] https://gitlab.com/gitlab-org/gitlab/-/issues/216073
epic