- Overview
- Installation
- Features
- Supported container orchestrators
- Supported Kubernetes providers
- Roadmap
Container Host Security
Deprecated in GitLab 14.8, and planned for removal in GitLab 15.0.
Container Host Security in GitLab provides Intrusion Detection and Prevention capabilities that can monitor and (optionally) block activity inside the containers themselves. This is done by leveraging an integration with Falco to provide the monitoring capabilities and an integration with Pod Security Policies and AppArmor to provide blocking capabilities.
Overview
Container Host Security can be used to monitor and block activity inside a container as well as to enforce security policies across the entire Kubernetes cluster. Falco profiles allow for users to define the activity they want to monitor for and detect. Among other things, this can include system log entries, process starts, file activity, and network ports opened. AppArmor is used to block any undesired activity via AppArmor profiles. These profiles are loaded into the cluster when referenced by Pod Security Policies.
By default, Container Host Security is deployed into the cluster in monitor mode only, with no default profiles or rules running out-of-the-box. Activity monitoring and blocking begins only when users define profiles for these technologies.
Installation
See the installation guide for the recommended steps to install the Container Host Security capabilities. This guide shows the recommended way of installing Container Host Security through the Cluster Management Project. However, it’s also possible to do a manual installation through our Helm chart.
Features
- Prevent containers from starting as root.
- Limit the privileges and system calls available to containers.
- Monitor system logs, process starts, files read/written/deleted, and network ports opened.
- Optionally block processes from starting or files from being read/written/deleted.
Supported container orchestrators
Kubernetes v1.14+ is the only supported container orchestrator. OpenShift and other container orchestrators aren’t supported.
Supported Kubernetes providers
The following cloud providers are supported:
- Amazon EKS
- Google GKE
Although Container Host Security may function on Azure or self-managed Kubernetes instances, it isn’t officially tested and supported on those providers.
Roadmap
See the Category Direction page for more information on the product direction of Container Host Security.