Getting started with Container Host Security
Deprecated in GitLab 14.8, and planned for removal in GitLab 15.0.
The following steps are recommended for installing Container Host Security.
Installation steps
The following steps are recommended to install and use Container Host Security through GitLab:
- Install at least one runner and connect it to GitLab.
- Create a group.
- Connect a Kubernetes cluster to the group.
-
Create a cluster management project and associate it with the Kubernetes cluster.
-
Install and configure an Ingress node:
- Install the Ingress node via CI/CD (Cluster Management Project).
- Navigate to the Kubernetes page and enter the DNS address for the external endpoint into the Base domain field on the Details tab. Save the changes to the Kubernetes cluster.
- Install and configure Falco for activity monitoring.
- Install and configure AppArmor for activity blocking.
- Configure Pod Security Policies (required to be able to load AppArmor profiles).
It’s possible to install and manage Falco and AppArmor in other ways, such as installing them manually in a Kubernetes cluster and then connecting it back to GitLab. These methods aren’t supported or documented.
Viewing the logs
Falco logs can be viewed by running the following command in your Kubernetes cluster:
kubectl -n gitlab-managed-apps logs -l app=falco
Troubleshooting
Trouble connecting to the cluster
Your CI/CD pipeline may occasionally fail or have trouble connecting to the cluster. Here are some initial troubleshooting steps that resolve the most common problems:
- Clear the cluster cache
-
If things still aren’t working, a more assertive set of actions may help get things back to a good state:
- Stop and delete the problematic environment in GitLab.
- Delete the relevant namespace in Kubernetes by running
kubectl delete namespaces <insert-some-namespace-name>in your Kubernetes cluster. - Rerun the application project pipeline to redeploy the application.
Related documentation links: