GitLab Protect Stage, 10 Aug 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Container Security Group Discussion 2021-08-10

Description

No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).

A

B

Okay, I thought I would.

A

You go, and I was just gonna say for the one person that watches this- uh that this is the weekly group discussion for container security.

B

Oh yeah, okay, I'm gonna walk through the current designs for the scan results, security policies. I was planning on doing solution validation for this this week, but it's not ready for that. So I'm still working on the designs and then once camellia starts working on it too, and we decided well when she decides it's in a good place. Then then we'll do some proper solution, validation to make sure that the whole flow makes sense. But I'm not sure if everyone had a chance to look at this so I'll run through it.

B

Okay, so this is the small update to the existing merge request: approval widget that exists in the merge request settings at the project view for people who don't have any policies set up, I'm proposing a little banner that says you can do more for for vulnerability checks with an import with a policy, and then you can create that policy here or you can just dismiss it. We'll still have vulnerability check available at that project level. For a few milestones, at least while we hopefully get customers more interested in the policies.

B

If a policy has been enabled, it will show up here in the list and there'll be a little badge that says security policy. If you click view details, you can see what that policy entails and it's kind of a read-only view. So you can't edit it from here, but you can go and look at that policy on the policy page and then from there you can make edits and open merge requests.

B

This is what the policy page looks like for the scan result policy and you. This is really just one state of what it's going to look like or it could look like in this case. You can read the rules that will make will trigger this rule and then you can add different users or groups via this little drop down.

B

We change the wording from save policy to create merge requests, because that's what you're essentially doing- and I didn't want there to be any confusion over- why this policy hasn't been enabled or anything like that- it's not really being saved. So we're going to do create, merge, request, there's a banner here, and I think that sam you had some reservations about the banner.

B

I think it's a good idea now, I'm going to circle back to that, because I have some questions actually, but hopefully, users will notice that this is going to open, merge requests in a separate project. Then they can click that button.

B

If they don't see it or read it, that's fine too they'll they'll notice it when they end up on this page- and this is the sort of pre-filled merge- request, template it's kind of similar to the sas configuration that we already have so it'll, just link back to the policy list and create that merge request, and this is just the same.

B

It's the basic merge request flow and then here this is what I just updated. This is like the fourth time I've updated this page, so I apologize um that policy that you just created will show up here at the top and it will say not enabled in this case I put two. I don't know why.

B

So there are two open, merge requests associated with that policy and if you hover over it, you get a pop over that links to the two merge requests and um the policy type is below enabled or not enabled or the two states that I thought would work. I might need another one, and I guess that's it. That's it for the whole float.

B

Excuse me: um does anyone have any questions about that.

C

uh I believe, with the scan execution policies. Now they, when you click the create merge, request button. It just goes to a the newly created merge request and it doesn't go to like a pre-filled template yeah. It goes to the screen instead of okay, the prior screen. What would be the benefits of having this intermediate state.

B

That's a good question. I don't actually um I don't know why sas does it, so maybe there is a reason. Does anyone else know.

C

Because uh it seemed like a good idea at the time I don't know oh cause, you can edit all these things anyways. I don't.

A

I don't think I understand the difference, isn't isn't it exactly the same as as we're proposing.

B

A

Is the exact skip this.

B

D

I'm with thiago I'm a little bit confused when we, when they click, create, merge requests. We take them straight to this page right.

C

Right uh well, yeah, that's what annabelle is proposing and that's what sas is doing, but for the current project for scan execution. We don't take them to this page. We take them to the next page if they click the create merge, request button. We take.

A

C

To this page, oh.

A

We don't give them a chance to amend anything.

D

Okay right yeah, because it is odd because we have create, merge requests and then we take them to another page where they have the same. Now that you've changed the wording annabelle it's actually the same on both pages, so they have to click, create, merge twice and at what point are you actually creating it?.

B

Yeah, I'm almost positive. It's the same.

C

And then I and then I don't yeah and I my question was I mean what what why would we take them to this page when they can edit all these things on the merge requests after we've, if it's already been created, anyways.

B

I guess you don't have to go back and edit and I mean certain things are only available in the edit view. Right, ah maybe not.

C

Well, I I don't.

A

C

A

It's a good question, and probably one of these that we resolve by testing right, say: hey, that's the user. Would you prefer this or that I don't know, what's the more likely what's the same default.

B

I yeah I agree we can find out through testing. I I think I like seeing the merge request here before I hit before it actually goes through.

B

That might just be me, I like to see it before I hit create just because you know that's the expected behavior. If we bypass that it's kind of like oh okay, I guess it's done and I wasn't ready. I don't know um that might be. Why sas did it? We can. We can always check on that.

D

Yes- and that was my comment about the banner- is that it feels a little bit redundant. I guess the banner feels redundant with that intermediate page, because I feel like that page is basically saying the same thing that the banner says.

D

So if we did do what alexander is suggesting and we just created the merge request, then I think the banner makes a lot more sense to explain what's about to happen but yeah. So I guess it depends on our workflow.

B

So I had the banner up as well, because I wanted to know what the flow would be if the. If there was no security approval project created yet can I still click new policy and if so, at what point is it auto-created.

D

So I think there was some confusion about this while I was on pto, um but you should be able to just go straight into creating a new policy and then, when you click create like at the bottom, when you click that blue button, that's when we should be creating the project if it doesn't already exist,.

B

If that's the case, then we can probably I think the banner should be there explaining that too yeah. So I think I I saw your comment. I didn't know. If I don't actually know who the merge request author was, I think we got it resolved and we did do the correct flow.

B

So the new policy did go to the policy page and the edit project did open the modal. That was what I was expecting, but I don't know if that's actually what happened.

D

Yeah, that would be the desired behavior, though clicking new policy should just go straight to the new policy page and then, when you actually click at the bottom, we should probably change that to be consistent with whatever we decide here. When you click create merge request, then it should automatically create the project if it does not already exist and create the merge request in that project.

B

So maybe the question, I guess then, is yeah. Is it on this button or is it when you actually create that merge request.

A

You you need to be on this button.

D

Yeah be on this button. Okay,.

C

A

C

Currently, how it works for scan execution policies- um and the mr I have up is you- click create merge request. It does a check for a security policy project if it doesn't have one it creates it auto, links it and then creates the merge request on there and if it already has one then just creates the merge request, but it does go straight to the merge request and not the merge request. Template.

A

Would um if we, if we want to give the user the option to create, to review the mesh request before hitting create, would would it make sense to change that button there to say start merge request instead of create.

B

That might might work.

A

Just a thought: I'm not particularly current.

D

Yeah, because it is a bit odd to have the exact same terminology twice like you know, I mean we could always test this, but as a user I would feel like. Oh, I clicked create, merge request. Why didn't it create it? Now? I have to click, create, merge, request again. You know you.

A

D

But if we don't have that intermediate page and we do it as it is now like I said, I think the banner makes a lot more sense because they don't have that second page to review it. So having a banner to explain, what's about to happen when you click the big blue button again, I think we should keep the banner if we're just creating it right. There.

B

Right and if it already does exist- and we are having the usual merge request flow- then a banner probably isn't necessary.

B

um This probably has already worked out, I'm assuming it is. I just don't know the answer: if I'm a user who does not have access to the security approval project and there isn't sorry, there is no security, google project, I don't see the new policy button right and I don't. I don't see anything probably.

D

So only owners are allowed to create a security policy project initially like to do that. Linking so only the project owner should have that access.

B

So before the owner does that I remember, I had an empty state somewhere and I just can't find oh.

B

So this is what the.

D

B

D

Like the project owner would see everything here, if you're not a project owner, then you would not have any of those buttons. You would not have the new policy button and you would not have the edit policy project button.

B

Okay, but as soon as so, but as soon as a security approval project does exist as a project maintainer of the development project, I can create a new policy right. Yes,.

D

B

Even a developer.

D

Exactly you're able to open that, mr, it's just you're not able to merge it in by default, but you can create a new policy which opens the mr.

B

B

Maybe we could have some text here that says you need to contact your.

D

B

What it's a it's, the group owner or a namespace owner.

D

It's the project owner.

B

Okay, we'll figure that out.

C

uh I have a question with that regarding network policies or container run, we say container policies. uh Is that what we settled on, um I think that's.

A

What we set alone here.

C

Those didn't require you to be an owner to create. Is that correct.

D

Oh yeah, that's true. That's true. I forgot about those, so you would still have the new policy button, but you would not be able to create a new scan execution policy. Yeah.

C

Right so um I think right now for scan execution. It was easiest.

C

I know it wasn't even the easiest I just did I just like great, like I allowed you to select the scan execution policy still but grade out the create merge request button.

C

Probably a better solution is just graying out um graying out the scan execution policy selection in the drop down when you click new policy, and then you select what type of policy you're creating have it there but gray it out.

D

But then we have a similar sort of empty state where you select it, and it just says you know, contact your project, the owner of this project, because you don't have a you, don't yet have a policy project linked. So that's.

C

D

C

Right so you still want scan execution as it types selectable, but now it just shows the empty state correct.

D

Yeah, okay, so sorry annabelle, we misled you good good catch alexander forgot about the the um container policies.

B

So we do not need this page.

D

Yeah, so you can put that back how it was before. What we need instead is an empty state when you're selecting the policy type.

B

Oh, so, if I go here or.

D

B

D

The one type of policy, but not the other type of policy, and so we need an empty state for that scenario that directs them to contact the owner of the project.

B

B

I should write that down.

A

Is there a link that we could offer for for a better, more direct call to action, because, if you just say contact the owner of the project, maybe the entrepreneur that doesn't know what to do to get it away and do what? If you say, ask the owner of the project to click here to create a management project.

A

I don't know suggestion yeah.

D

That's a good point, I mean we do have documentation on it, so we certainly can provide a link for it. Yeah.

A

B

Yeah, I can look at what other features do and we can do something similar.

C

uh Sam, would you like this empty state to um exist for the current project for scan execution policies before we turn on the feature flag.

D

What are we doing right now? I said it's just grayed out right, yeah, that's what I.

C

Grayed out the create, merge, request button, uh and I I remember thinking I should ask someone about this and then uh I forgot to I'm sorry.

D

We should make that a fast follow-on, but the functionality is there, it's just a not as good of a user experience as it could be.

A

Cool. Thank you. That's a good good cause and in the spirit of iteration.

C

There's no uh iteration emoji that I can post, but uh here's a heart. I.

A

I had a I had a a minor knit slash uh language, maybe curiosity, the the on the second I think screen they showed on a bell. It says, enabled not enabled do you prefer that to enable disabled.

B

um Yeah I used not enabled because that's what we use on the security configuration page and I think that's what we started with before. I started messing everything around. I want to say, and don't quote me on this and it's being recorded, I feel like disabled isn't a word we should be using as much anymore. I don't know if that's sure I.

A

Was thinking about it.

B

A

Wonder if this is a you know, one of these words that we shouldn't be using here.

B

I don't know if that's why I kind of I don't like it as much anyway. I don't know why I find not enabled clearer to me more clearly well because.

A

B

Pass you pass the.

A

Not and you move on right, enable not enable not enable nothing.

D

You should get her opinion on it.

A

For me, it was was, I was curious because I I couldn't think of uh somewhere else to look for a patent, but it sounds like it's consistent. So I don't mind. I was just curious. It.

B

Is- and I think the reason also is because disabled I feel like implies an action, whereas this just isn't enabled like I don't know it, I don't. I don't know how to describe it. You know what I mean like.

A

For a need to extend it to my, I was curious, don't worry about it.

D

We could also change it and go with active and inactive might be another way to go.

A

And then the sedentary people may be, you know, why are you so inactive.

D

So I I don't know what we want to do when the policy doesn't exist yet annabelle it looked like looked like you were suggesting, it would just say, not enabled, but it might be a little bit confusing. So if you've got an openmr to create a new policy that does not yet exist, and that mr would set the policy to be enabled, it gets a little bit confusing because, like is this enabled, is it not? I don't know I could just foresee, maybe some confusion there.

D

I almost wonder if just leaving it blank would be better if the policy doesn't exist at all because it doesn't exist, so it technically doesn't have a status as of yet I don't know pending.

A

C

What about that and wait? Oh yeah! What happened with pending.

B

um It doesn't really fall in the same category as enabled or not enabled it's not like. That's a state that you can set in that area, so we removed it, and so I don't did I take pending out completely.

A

What, if we, I don't remember seeing it, I think so, what.

C

If we put it in there as not enabled, and then we also like gray it out a little.

B

We can't rely on color for that kind of stuff because it's not accessible and we do that with like closed issues. If you look at um related, one of the related issues are merger quest blocks. I didn't even know it was gray for a long time and that's what we were saying is closed. um But yeah. That's a good point. I do.

B

I do need to put back the pending, I removed it and I it doesn't have any sort of other than like the I added the open, merge request links, but that doesn't mean much for not merged policies. So let me put that back somewhere.

C

What about needs approval.

B

Yeah pending approval- I didn't want to put it in that column, but I need to put it somewhere.

B

I just don't know where yet.

B

I won't be doing it right now. I just put a note in the design.

D

Cool yeah: well, thanks for running through this annabelle, um I'm really excited to see where all this is headed. I think you know we're all making some really great progress in this area, so looking forward to seeing it all come out.

A

Thank you thank you for bringing um engineers on it as well. Thank you.

D

Annabelle or anyone else are there any more topics for today.

A

Not according to the agenda.

D

Well, thanks: everyone have a good week.

A

C

Hi, my friends.