Drop network_policy_ui feature flag

This MR removes network_policy_ui feature flag to enable access to the
Network Policy section of the Threat Monitoring page. Related
documentation was also added.

doc/user/application_security/threat_monitoring/index.md

@@ -13,6 +13,7 @@ navigating to your project's **Security & Compliance > Threat Monitoring** page.
 GitLab supports statistics for the following security features:
 
 - [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity)
+- [Container Network Policies](../../../topics/autodevops/index.md#network-policy)
 
 ## Web Application Firewall
 
@@ -38,3 +39,38 @@ about your Ingress traffic:
 If a significant percentage of traffic is anomalous, you should
 investigate it for potential threats by
 [examining the application logs](../../clusters/applications.md#web-application-firewall-modsecurity).
+
+## Container Network Policy
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/32365) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
+
+The **Container Network Policy** section provides packet flow metrics for
+your application's Kubernetes namespace. This section has the following
+prerequisites:
+
+- Your project contains at least one [environment](../../../ci/environments.md)
+- You've [installed Cilium](../../clusters/applications.md#install-cilium-using-gitlab-cicd)
+- You've configured the [Prometheus service](../../project/integrations/prometheus.md#enabling-prometheus-integration)
+
+If you're using custom Helm values for Cilium, you must enable Hubble
+with flow metrics for each namespace by adding the following lines to
+your [Hubble values](../../clusters/applications.md#install-cilium-using-gitlab-cicd):
+
+```yaml
+metrics:
+  enabled:
+    - 'flow:sourceContext=namespace;destinationContext=namespace'
+```
+
+The **Container Network Policy** section displays the following information
+about your packet flow:
+
+- The total amount of the inbound and outbound packets
+- The proportion of packets dropped according to the configured
+  policies
+- The per-second average rate of the forwarded and dropped packets
+  accumulated over time window for the requested time interval
+
+If a significant percentage of packets is dropped, you should
+investigate it for potential threats by
+[examining the Cilium logs](../../clusters/applications.md#install-cilium-using-gitlab-cicd).

doc/user/clusters/applications.md

@@ -825,6 +825,28 @@ agent:
     enabled: false
 ```
 
+The [Hubble](https://github.com/cilium/hubble) monitoring daemon is
+enabled by default and it's set to collect per namespace flow
+metrics. This metrics are accessible on the [Threat Monitoring](../application_security/threat_monitoring/index.md)
+dashboard. You can disable Hubble by adding the following to
+`.gitlab/managed-apps/config.yaml`:
+
+```yaml
+cilium:
+  installed: true
+  hubble:
+    installed: false
+```
+
+You can also adjust Helm values for Hubble via
+`.gitlab/managed-apps/cilium/hubble-values.yaml`:
+
+```yaml
+metrics:
+  enabled:
+    - 'flow:sourceContext=namespace;destinationContext=namespace'
+```
+
 ### Install Vault using GitLab CI/CD
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/9982) in GitLab 12.9.

ee/app/assets/javascripts/threat_monitoring/components/app.vue

@@ -171,23 +171,21 @@ export default {
       documentation-anchor="web-application-firewall"
     />
 
-    <template v-if="glFeatures.networkPolicyUi">
-      <hr />
+    <hr />
 
-      <threat-monitoring-section
-        ref="networkPolicySection"
-        store-namespace="threatMonitoringNetworkPolicy"
-        :title="s__('ThreatMonitoring|Container Network Policy')"
-        :subtitle="s__('ThreatMonitoring|Packet Activity')"
-        :anomalous-title="s__('ThreatMonitoring|Dropped Packets')"
-        :nominal-title="s__('ThreatMonitoring|Total Packets')"
-        :y-legend="s__('ThreatMonitoring|Operations Per Second')"
-        :chart-empty-state-title="s__('ThreatMonitoring|Container NetworkPolicies not detected')"
-        :chart-empty-state-text="$options.networkPolicyChartEmptyStateDescription"
-        :chart-empty-state-svg-path="networkPolicyNoDataSvgPath"
-        :documentation-path="documentationPath"
-        documentation-anchor="container-network-policy"
-      />
-    </template>
+    <threat-monitoring-section
+      ref="networkPolicySection"
+      store-namespace="threatMonitoringNetworkPolicy"
+      :title="s__('ThreatMonitoring|Container Network Policy')"
+      :subtitle="s__('ThreatMonitoring|Packet Activity')"
+      :anomalous-title="s__('ThreatMonitoring|Dropped Packets')"
+      :nominal-title="s__('ThreatMonitoring|Total Packets')"
+      :y-legend="s__('ThreatMonitoring|Operations Per Second')"
+      :chart-empty-state-title="s__('ThreatMonitoring|Container NetworkPolicies not detected')"
+      :chart-empty-state-text="$options.networkPolicyChartEmptyStateDescription"
+      :chart-empty-state-svg-path="networkPolicyNoDataSvgPath"
+      :documentation-path="documentationPath"
+      documentation-anchor="container-network-policy"
+    />
   </section>
 </template>

ee/app/assets/javascripts/threat_monitoring/store/modules/threat_monitoring/actions.js

@@ -57,17 +57,11 @@ export const fetchEnvironments = ({ state, dispatch }) => {
 export const setCurrentEnvironmentId = ({ commit, dispatch }, environmentId) => {
   commit(types.SET_CURRENT_ENVIRONMENT_ID, environmentId);
   dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true });
-
-  if (window.gon.features?.networkPolicyUi) {
-    dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
-  }
+  dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
 };
 
 export const setCurrentTimeWindow = ({ commit, dispatch }, timeWindow) => {
   commit(types.SET_CURRENT_TIME_WINDOW, timeWindow.name);
   dispatch(`threatMonitoringWaf/fetchStatistics`, null, { root: true });
-
-  if (window.gon.features?.networkPolicyUi) {
-    dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
-  }
+  dispatch(`threatMonitoringNetworkPolicy/fetchStatistics`, null, { root: true });
 };

ee/app/controllers/projects/threat_monitoring_controller.rb

@@ -3,9 +3,5 @@
 module Projects
   class ThreatMonitoringController < Projects::ApplicationController
     before_action :authorize_read_threat_monitoring!
-
-    before_action only: [:show] do
-      push_frontend_feature_flag(:network_policy_ui)
-    end
   end
 end

ee/changelogs/unreleased/32365-network-policy-docs.yml

+---
+title: Enable NetworkPolicy Statistics by default
+merge_request: 27365
+author:
+type: added

ee/spec/frontend/threat_monitoring/components/__snapshots__/app_spec.js.snap

 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`ThreatMonitoringApp component given there is a default environment with data given the networkPolicyUi feature flag is enabled renders the network policy section 1`] = `
+exports[`ThreatMonitoringApp component given there is a default environment with data renders the network policy section 1`] = `
 <threat-monitoring-section-stub
   anomaloustitle="Dropped Packets"
   chartemptystatesvgpath="/network-policy-no-data-svg"

ee/spec/frontend/threat_monitoring/components/app_spec.js

@@ -112,26 +112,8 @@ describe('ThreatMonitoringApp component', () => {
       expect(findWafSection().element).toMatchSnapshot();
     });
 
-    it('does not render the network policy section', () => {
-      expect(findNetworkPolicySection().exists()).toBe(false);
-    });
-
-    describe('given the networkPolicyUi feature flag is enabled', () => {
-      beforeEach(() => {
-        factory({
-          options: {
-            provide: {
-              glFeatures: {
-                networkPolicyUi: true,
-              },
-            },
-          },
-        });
-      });
-
-      it('renders the network policy section', () => {
-        expect(findNetworkPolicySection().element).toMatchSnapshot();
-      });
+    it('renders the network policy section', () => {
+      expect(findNetworkPolicySection().element).toMatchSnapshot();
     });
 
     describe('dismissing the alert', () => {

ee/spec/frontend/threat_monitoring/store/modules/threat_monitoring/actions_spec.js

@@ -16,16 +16,6 @@ const environmentsEndpoint = 'environmentsEndpoint';
 const wafStatisticsEndpoint = 'wafStatisticsEndpoint';
 const networkPolicyStatisticsEndpoint = 'networkPolicyStatisticsEndpoint';
 
-const stubFeatureFlags = features => {
-  beforeEach(() => {
-    window.gon.features = features;
-  });
-
-  afterEach(() => {
-    delete window.gon.features;
-  });
-};
-
 describe('Threat Monitoring actions', () => {
   let state;
 
@@ -208,58 +198,32 @@ describe('Threat Monitoring actions', () => {
   describe('setCurrentEnvironmentId', () => {
     const environmentId = 1;
 
-    it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF fetch action', () =>
+    it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF and Network Policy fetch actions', () =>
       testAction(
         actions.setCurrentEnvironmentId,
         environmentId,
         state,
         [{ type: types.SET_CURRENT_ENVIRONMENT_ID, payload: environmentId }],
-        [{ type: 'threatMonitoringWaf/fetchStatistics', payload: null }],
+        [
+          { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
+          { type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
+        ],
       ));
-
-    describe('given the networkPolicyUi feature flag is enabled', () => {
-      stubFeatureFlags({ networkPolicyUi: true });
-
-      it('commits the SET_CURRENT_ENVIRONMENT_ID mutation and dispatches WAF and Network Policy fetch actions', () =>
-        testAction(
-          actions.setCurrentEnvironmentId,
-          environmentId,
-          state,
-          [{ type: types.SET_CURRENT_ENVIRONMENT_ID, payload: environmentId }],
-          [
-            { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
-            { type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
-          ],
-        ));
-    });
   });
 
   describe('setCurrentTimeWindow', () => {
     const timeWindow = { name: 'foo' };
 
-    it('commits the SET_CURRENT_TIME_WINDOW mutation and dispatches WAF fetch action', () =>
+    it('commits the SET_CURRENT_TIME_WINDOW mutation and dispatches WAF and Network Policy fetch actions', () =>
       testAction(
         actions.setCurrentTimeWindow,
         timeWindow,
         state,
         [{ type: types.SET_CURRENT_TIME_WINDOW, payload: timeWindow.name }],
-        [{ type: 'threatMonitoringWaf/fetchStatistics', payload: null }],
+        [
+          { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
+          { type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
+        ],
       ));
-
-    describe('given the networkPolicyUi feature flag is enabled', () => {
-      stubFeatureFlags({ networkPolicyUi: true });
-
-      it('commits the SET_CURRENT_TIME_WINDOW mutation and dispatches WAF and Network Policy fetch actions', () =>
-        testAction(
-          actions.setCurrentTimeWindow,
-          timeWindow,
-          state,
-          [{ type: types.SET_CURRENT_TIME_WINDOW, payload: timeWindow.name }],
-          [
-            { type: 'threatMonitoringWaf/fetchStatistics', payload: null },
-            { type: 'threatMonitoringNetworkPolicy/fetchStatistics', payload: null },
-          ],
-        ));
-    });
   });
 });