-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Reporting] Document Network Policy configuration #80431
[Reporting] Document Network Policy configuration #80431
Conversation
efb1a5a
to
bf8b517
Compare
bf8b517
to
baf182f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tsullivan thanks for writing this up, I think you did a nice job covering the options here. Just a couple of questions/nits for you below
A network policy applies not only to outgoing requests, but also incoming responses. That means if a request goes out to an allowed | ||
host, but is redirected and a response returns from a denied host, the response will be denied, and the report will fail. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Isn't this still technically an outgoing request? The redirect would involve a response from the allowed host, and then the browser would issue a new request to the denied host -- the network policy would then prevent the connection to the denied host.
The way it's currently written, I could misinterpret this to believe that Chromium would connect to the denied host, but simply ignore the response.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I mistook what is going on in the response handler code that I have become slightly familiar with.
I should have realized the point you made, but now I'm less sure about what the code is doing :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, that's correct: we do a best effort prior to the request being sent, but if a DNS hijack or something else occurs, this can redirect to internal-only IPs or worse (the file://
protocol, etc).
This is why we check both the request itself, as well as the response, and if any violate network policies then the session is shutdown immediately (the browser is closed, we log the reason, and the reporting job is failed).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool, glad to understand it better.
I think that level of detail might not be required for the docs. I'm just going to wipe out these sentences.
==== Disabling Reporting Network Policy | ||
|
||
You can use the `xpack.reporting.capture.networkPolicy.enabled: false` setting to disable the network policy feature. The default for | ||
this configuration property is `true`, so it is not necessary to explicitly enable it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question is there a functional difference between disabling the network policy, and not defining a network policy at all?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The answer is no, and there probably is no use case for disabling the network policy yet still having rules defined.
That should be a schema check on the config, and we can save the user from having an accidental breakage in the config.
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Ready for final review! |
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
…kibana into reporting/docs/network-policy
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* master: (43 commits) [ML] Transforms: Fix tab ids for expanded row. (elastic#80666) server logs config paths to use for runner (elastic#52980) Fix audit logger logging to console even when disabled (elastic#80928) skip flaky suite (elastic#80929) Added Enterprise Search config to kibana-docker (elastic#80872) skip flaky suite (elastic#80914) [keystore_cli] parse values as JSON before adding to keystore (elastic#80848) [Ingest Manager] Fix for comparing versions with -SNAPSHOT suffix (elastic#80742) ECS audit logging (elastic#74640) [Uptime] Add client-side unit tests for remaining synthetics code (elastic#80215) [Security_Solution][Resolver] Promote z-index on node labels (elastic#80854) Move renderHeaderActions back into mount useEffect + update tests (elastic#80861) [Reporting] Document Network Policy configuration (elastic#80431) [Reporting] Add contextual documentation for CSV Max Bytes setting (elastic#80782) Add catch for Enterprise Search sending back a 401 response instead of redirect (elastic#80757) [Actions] Back Button on Add Connector Flyout (elastic#80160) removing `kibana_datatable` in favor of `datatable` (elastic#80548) [Alerting UI] Updating 'Add new' wording (elastic#80509) [Docs] Document Encrypted Saved Objects functionality. (elastic#80183) [Discover] fix auto-refresh (elastic#80635) ...
* master: (23 commits) [ML] Transforms: Fix tab ids for expanded row. (elastic#80666) server logs config paths to use for runner (elastic#52980) Fix audit logger logging to console even when disabled (elastic#80928) skip flaky suite (elastic#80929) Added Enterprise Search config to kibana-docker (elastic#80872) skip flaky suite (elastic#80914) [keystore_cli] parse values as JSON before adding to keystore (elastic#80848) [Ingest Manager] Fix for comparing versions with -SNAPSHOT suffix (elastic#80742) ECS audit logging (elastic#74640) [Uptime] Add client-side unit tests for remaining synthetics code (elastic#80215) [Security_Solution][Resolver] Promote z-index on node labels (elastic#80854) Move renderHeaderActions back into mount useEffect + update tests (elastic#80861) [Reporting] Document Network Policy configuration (elastic#80431) [Reporting] Add contextual documentation for CSV Max Bytes setting (elastic#80782) Add catch for Enterprise Search sending back a 401 response instead of redirect (elastic#80757) [Actions] Back Button on Add Connector Flyout (elastic#80160) removing `kibana_datatable` in favor of `datatable` (elastic#80548) [Alerting UI] Updating 'Add new' wording (elastic#80509) [Docs] Document Encrypted Saved Objects functionality. (elastic#80183) [Discover] fix auto-refresh (elastic#80635) ...
Summary
This PR adds a documentation section for the Reporting Network Policy feature, which was added in this PR #46528 and released in 7.4.1+
Closes #71484
These screenshots show the placements of the changes in this PR (not the final or full content):