[Reporting] Document Network Policy configuration #80431
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tsullivan
force-pushed
the
reporting/docs/network-policy
branch
2 times, most recently
from
efb1a5a
to
bf8b517
Compare
tsullivan
force-pushed
the
reporting/docs/network-policy
branch
from
bf8b517
to
baf182f
Compare
tsullivan
added
the
release_note:skip
legrego
reviewed
Oct 14, 2020
There was a problem hiding this comment.
@tsullivan thanks for writing this up, I think you did a nice job covering the options here. Just a couple of questions/nits for you below
Comment on lines
13
to
14
| A network policy applies not only to outgoing requests, but also incoming responses. That means if a request goes out to an allowed | ||
| host, but is redirected and a response returns from a denied host, the response will be denied, and the report will fail. |
There was a problem hiding this comment.
nit: Isn't this still technically an outgoing request? The redirect would involve a response from the allowed host, and then the browser would issue a new request to the denied host -- the network policy would then prevent the connection to the denied host.
The way it's currently written, I could misinterpret this to believe that Chromium would connect to the denied host, but simply ignore the response.
There was a problem hiding this comment.
Yes, I mistook what is going on in the response handler code that I have become slightly familiar with.
I should have realized the point you made, but now I'm less sure about what the code is doing :)
There was a problem hiding this comment.
Yup, that's correct: we do a best effort prior to the request being sent, but if a DNS hijack or something else occurs, this can redirect to internal-only IPs or worse (the file:// protocol, etc).
This is why we check both the request itself, as well as the response, and if any violate network policies then the session is shutdown immediately (the browser is closed, we log the reason, and the reporting job is failed).
There was a problem hiding this comment.
Cool, glad to understand it better.
I think that level of detail might not be required for the docs. I'm just going to wipe out these sentences.
Comment on lines
71
to
74
| ==== Disabling Reporting Network Policy | ||
|
|
||
| You can use the `xpack.reporting.capture.networkPolicy.enabled: false` setting to disable the network policy feature. The default for | ||
| this configuration property is `true`, so it is not necessary to explicitly enable it. |
There was a problem hiding this comment.
question is there a functional difference between disabling the network policy, and not defining a network policy at all?
There was a problem hiding this comment.
The answer is no, and there probably is no use case for disabling the network policy yet still having rules defined.
That should be a schema check on the config, and we can save the user from having an accidental breakage in the config.
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
tsullivan
commented
Oct 14, 2020
gchaps
reviewed
Oct 14, 2020
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
|
Ready for final review! |
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
…kibana into reporting/docs/network-policy
tsullivan
added a commit
to tsullivan/kibana
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
to tsullivan/kibana
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
to tsullivan/kibana
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
to tsullivan/kibana
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
This was referenced Oct 16, 2020
tsullivan
added a commit
to tsullivan/kibana
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
to tsullivan/kibana
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
to tsullivan/kibana
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
tsullivan
added a commit
that referenced
this pull request
Oct 16, 2020
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Oct 19, 2020
* master: (43 commits) [ML] Transforms: Fix tab ids for expanded row. (elastic#80666) server logs config paths to use for runner (elastic#52980) Fix audit logger logging to console even when disabled (elastic#80928) skip flaky suite (elastic#80929) Added Enterprise Search config to kibana-docker (elastic#80872) skip flaky suite (elastic#80914) [keystore_cli] parse values as JSON before adding to keystore (elastic#80848) [Ingest Manager] Fix for comparing versions with -SNAPSHOT suffix (elastic#80742) ECS audit logging (elastic#74640) [Uptime] Add client-side unit tests for remaining synthetics code (elastic#80215) [Security_Solution][Resolver] Promote z-index on node labels (elastic#80854) Move renderHeaderActions back into mount useEffect + update tests (elastic#80861) [Reporting] Document Network Policy configuration (elastic#80431) [Reporting] Add contextual documentation for CSV Max Bytes setting (elastic#80782) Add catch for Enterprise Search sending back a 401 response instead of redirect (elastic#80757) [Actions] Back Button on Add Connector Flyout (elastic#80160) removing `kibana_datatable` in favor of `datatable` (elastic#80548) [Alerting UI] Updating 'Add new' wording (elastic#80509) [Docs] Document Encrypted Saved Objects functionality. (elastic#80183) [Discover] fix auto-refresh (elastic#80635) ...
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Oct 19, 2020
* master: (23 commits) [ML] Transforms: Fix tab ids for expanded row. (elastic#80666) server logs config paths to use for runner (elastic#52980) Fix audit logger logging to console even when disabled (elastic#80928) skip flaky suite (elastic#80929) Added Enterprise Search config to kibana-docker (elastic#80872) skip flaky suite (elastic#80914) [keystore_cli] parse values as JSON before adding to keystore (elastic#80848) [Ingest Manager] Fix for comparing versions with -SNAPSHOT suffix (elastic#80742) ECS audit logging (elastic#74640) [Uptime] Add client-side unit tests for remaining synthetics code (elastic#80215) [Security_Solution][Resolver] Promote z-index on node labels (elastic#80854) Move renderHeaderActions back into mount useEffect + update tests (elastic#80861) [Reporting] Document Network Policy configuration (elastic#80431) [Reporting] Add contextual documentation for CSV Max Bytes setting (elastic#80782) Add catch for Enterprise Search sending back a 401 response instead of redirect (elastic#80757) [Actions] Back Button on Add Connector Flyout (elastic#80160) removing `kibana_datatable` in favor of `datatable` (elastic#80548) [Alerting UI] Updating 'Add new' wording (elastic#80509) [Docs] Document Encrypted Saved Objects functionality. (elastic#80183) [Discover] fix auto-refresh (elastic#80635) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a documentation section for the Reporting Network Policy feature, which was added in this PR #46528 and released in 7.4.1+
Closes #71484
These screenshots show the placements of the changes in this PR (not the final or full content):