1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
---
stage: Protect
group: Container Security
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Container Host Security **(FREE)**
> [Deprecated](https://gitlab.com/groups/gitlab-org/-/epics/7476) in GitLab 14.8, and planned for [removal](https://gitlab.com/groups/gitlab-org/-/epics/7477) in GitLab 15.0.
WARNING:
Container Host Security is in its end-of-life process. It's [deprecated](https://gitlab.com/groups/gitlab-org/-/epics/7476)
in GitLab 14.8, and planned for [removal](https://gitlab.com/groups/gitlab-org/-/epics/7477)
in GitLab 15.0.
Container Host Security in GitLab provides Intrusion Detection and Prevention capabilities that can
monitor and (optionally) block activity inside the containers themselves. This is done by leveraging
an integration with Falco to provide the monitoring capabilities and an integration with Pod
Security Policies and AppArmor to provide blocking capabilities.
## Overview
Container Host Security can be used to monitor and block activity inside a container as well as to
enforce security policies across the entire Kubernetes cluster. Falco profiles allow for users to
define the activity they want to monitor for and detect. Among other things, this can include system
log entries, process starts, file activity, and network ports opened. AppArmor is used to block any
undesired activity via AppArmor profiles. These profiles are loaded into the cluster when
referenced by Pod Security Policies.
By default, Container Host Security is deployed into the cluster in monitor mode only, with no
default profiles or rules running out-of-the-box. Activity monitoring and blocking begins only when
users define profiles for these technologies.
## Installation
See the [installation guide](quick_start_guide.md) for the recommended steps to install the
Container Host Security capabilities. This guide shows the recommended way of installing Container
Host Security through the Cluster Management Project. However, it's also possible to do a manual
installation through our Helm chart.
## Features
- Prevent containers from starting as root.
- Limit the privileges and system calls available to containers.
- Monitor system logs, process starts, files read/written/deleted, and network ports opened.
- Optionally block processes from starting or files from being read/written/deleted.
## Supported container orchestrators
Kubernetes v1.14+ is the only supported container orchestrator. OpenShift and other container
orchestrators aren't supported.
## Supported Kubernetes providers
The following cloud providers are supported:
- Amazon EKS
- Google GKE
Although Container Host Security may function on Azure or self-managed Kubernetes instances, it isn't
officially tested and supported on those providers.
## Roadmap
See the [Category Direction page](https://about.gitlab.com/direction/protect/container_host_security/)
for more information on the product direction of Container Host Security.
|
