MVC: Initial Security Policy UI
Problem to solve
Currently all policies for Container Security can only be managed in code. Currently several pain points exist due to the lack of a policy management UI:
- Users who are not comfortable with editing configuration or yaml files are excluded from being able to use Container Security features
- Code does not allow an easy way to scan a page and visualize which policies are enabled vs disabled
- Users need to be able to disable a policy without deleting it
Intended users
This feature is targeted primarily at the Security team:
It may also be used by the DevOps team for smaller organizations that don't have a Security team:
Further details
This is intended to be the Minimal Viable Change (MVC) toward a larger policy management portal. Eventually we will want to be able to provide audit trails, policy differentials, policy suggestions, and feedback on the performance and efficacy of the policies. To allow us to iterate quickly, rather than trying to build all the features at once, this issue is focused on delivering just the first piece of the longer-term solution.
Proposal
For the first MVC, we will limit the policy page to just Container Network Policy (Cilium) management.
- The policy management portal will allow users to do the following:
- View policies that exist
- View whether those policies are currently enabled or disabled
- View all policies for the project or filter policies by environment
- Enable and disable policies (we may need to contribute to the upstream project to add a setting for this)
- Additionally a warning will be displayed for Auto-Devops users only to inform them that the will need to manually adjust the appropriate .yaml file in their repo to prevent their changes from being overwritten.
Permissions and Security
Users must be an Owner or Maintainer on the project to access the policy configuration page.
Documentation
- Documentation will be added to describe how to access and use the policy management page.
- Documentation will be added to describe how to enable and disable policies on the policy management page.
Availability & Testing
- Verify that only owners and maintainers can access the policy page
- Verify that adding a new policy directly via a kubectl command results in a new policy appearing in the policy UI
- Verify that deleting a policy directly via a kubectl command results in the policy being removed from the policy UI
- Verify that the enabled/disabled status shown in the UI matches what is shown in code
- Verify that enabling/disabling a policy pack in the UI accurately changes the state of the policy pack in the production environment
What does success look like, and how can we measure that?
What is the type of buyer?
This will be available for GitLab Ultimate