The following steps are recommended for installing Container Host Security.
The following steps are recommended to install and use Container Host Security through GitLab:
- Install at least one runner and connect it to GitLab.
- Create a group.
- Connect a Kubernetes cluster to the group.
Install and configure an Ingress node:
- Install the Ingress node via CI/CD (Cluster Management Project).
- Navigate to the Kubernetes page and enter the DNS address for the external endpoint into the Base domain field on the Details tab. Save the changes to the Kubernetes cluster.
- Install and configure Falco for activity monitoring.
- Install and configure AppArmor for activity blocking.
- Configure Pod Security Policies (required to be able to load AppArmor profiles).
It’s possible to install and manage Falco and AppArmor in other ways, such as installing them manually in a Kubernetes cluster and then connecting it back to GitLab. These methods aren’t supported or documented.
Falco logs can be viewed by running the following command in your Kubernetes cluster:
kubectl -n gitlab-managed-apps logs -l app=falco
Your CI/CD pipeline may occasionally fail or have trouble connecting to the cluster. Here are some initial troubleshooting steps that resolve the most common problems:
- Clear the cluster cache
If things still aren’t working, a more assertive set of actions may help get things back to a good state:
- Stop and delete the problematic environment in GitLab.
- Delete the relevant namespace in Kubernetes by running
kubectl delete namespaces <insert-some-namespace-name>in your Kubernetes cluster.
- Rerun the application project pipeline to redeploy the application.
Related documentation links: