Implement adoption and usage metrics for Web Application Firewall

Problem to solve

The initial MVC of the ~WAF was completed in #25398 (closed), but we did not have time to add usage metrics in order to measure installations and enablement across customer clusters.

We need to collect some telemetry so we can start reporting and measuring usage of this feature. This data will also support our North Star metric for Container Security which is the total number of network packets processed.

Intended users

• Parker (Product Manager)
• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Presley (Product Designer)
• Sam (Security Analyst)
• Dana (Data Analyst)

Further details

Proposal

There may be no easy way of measuring this using the current implementation but options should be explored. Once we split out modsecurity into a dedicated GitLab Managed Application it should be simpler to setup an easy usage ping

The following data will be collected as part of the usage ping:

• The total number of packets that ModSecurity has analyzed across all environments
• The total number of packets that ModSecurity has analyzed and found to be anomalous across all environments
• The number of environments where ModSecurity is installed and turned on
• The number of environments where ModSecurity is installed and turned off
• The number of environments where ModSecurity is not installed

Permissions and Security

Documentation

Testing

What does success look like, and how can we measure that?

A viewable dashboard allows us to measure adoption for the WAF on k8s clusters

What is the type of buyer?

GitLab Starter

Links / references

Implementation Plan

Replace IngressModsecurityUsageService queries against ci_variables and ci_pipeline_variables tables with new queries against ::Clusters::Applications::Ingress.where(modsecurity_enabled: true).logging and related enum scopes.

Ideally, we would fallback to querying against ci_variables and ci_pipeline_variables to capture ENV-level overrides but whether that complexity is worth doing will need further analysis

Status

• backend MR to add feature flag to usage ping !20194 (merged)
• backend MR to add indices and count enablement at project-level !20196 (merged)
• backend MR to replace ci_variables and ci_pipeline_variables tables with queries against ::Clusters::Applications::Ingress.where(modsecurity_enabled: true).logging and related enum scopes