Getting started with Container Host Security

Deprecated in GitLab 14.8, and planned for removal in GitLab 15.0.

Container Host Security is in its end-of-life process. It’s deprecated in GitLab 14.8, and planned for removal in GitLab 15.0.

The following steps are recommended for installing Container Host Security.

Installation steps

The following steps are recommended to install and use Container Host Security through GitLab:

  1. Install at least one runner and connect it to GitLab.
  2. Create a group.
  3. Connect a Kubernetes cluster to the group.
  4. Create a cluster management project and associate it with the Kubernetes cluster.

  5. Install and configure an Ingress node:

  6. Install and configure Falco for activity monitoring.
  7. Install and configure AppArmor for activity blocking.
  8. Configure Pod Security Policies (required to be able to load AppArmor profiles).

It’s possible to install and manage Falco and AppArmor in other ways, such as installing them manually in a Kubernetes cluster and then connecting it back to GitLab. These methods aren’t supported or documented.

Viewing the logs

Falco logs can be viewed by running the following command in your Kubernetes cluster:

kubectl -n gitlab-managed-apps logs -l app=falco


Trouble connecting to the cluster

Your CI/CD pipeline may occasionally fail or have trouble connecting to the cluster. Here are some initial troubleshooting steps that resolve the most common problems:

  1. Clear the cluster cache
  2. If things still aren’t working, a more assertive set of actions may help get things back to a good state:

    • Stop and delete the problematic environment in GitLab.
    • Delete the relevant namespace in Kubernetes by running kubectl delete namespaces <insert-some-namespace-name> in your Kubernetes cluster.
    • Rerun the application project pipeline to redeploy the application.

Related documentation links: