- Installation steps
- Viewing the logs
The following steps are recommended for installing Container Host Security. Although you can install some capabilities through GMAv1, we recommend that you install applications through GMAv2 exclusively when using Container Network Security.
The following steps are recommended to install and use Container Host Security through GitLab:
- Install at least one runner and connect it to GitLab.
- Create a group.
- Connect a Kubernetes cluster to the group.
Install and configure an Ingress node:
- Install the Ingress node via CI/CD (GMAv2).
- Determine the external endpoint via the manual method.
- Navigate to the Kubernetes page and enter the DNS address for the external endpoint into the Base domain field on the Details tab. Save the changes to the Kubernetes cluster.
- Install and configure Falco for activity monitoring.
- Install and configure AppArmor for activity blocking.
- Configure Pod Security Policies (required to be able to load AppArmor profiles).
It’s possible to install and manage Falco and AppArmor in other ways, such as installing them manually in a Kubernetes cluster and then connecting it back to GitLab. These methods aren’t supported or documented.
Falco logs can be viewed by running the following command in your Kubernetes cluster:
kubectl -n gitlab-managed-apps logs -l app=falco
Your CI/CD pipeline may occasionally fail or have trouble connecting to the cluster. Here are some initial troubleshooting steps that resolve the most common problems:
- Clear the cluster cache
If things still aren’t working, a more assertive set of actions may help get things back to a good state:
- Stop and delete the problematic environment in GitLab.
- Delete the relevant namespace in Kubernetes by running
kubectl delete namespaces <insert-some-namespace-name>in your Kubernetes cluster.
- Rerun the application project pipeline to redeploy the application.
When GMAv1 and GMAv2 are used together on the same cluster, users may experience problems with applications being uninstalled or removed from the cluster. This is because GMAv2 actively uninstalls applications that are installed with GMAv1 and not configured to be installed with GMAv2. It’s possible to use a mixture of applications installed with GMAv1 and GMAv2 by ensuring that the GMAv1 applications are installed after the GMAv2 cluster management project pipeline runs. GMAv1 applications must be reinstalled after each run of that pipeline. This approach isn’t recommended as it’s error-prone and can lead to downtime as applications are uninstalled and later reinstalled. When using Container Network Security, the preferred and recommended path is to install all necessary components with GMAv2 and the cluster management project.
Related documentation links: