Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/project/clusters/protect/container_host_security/index.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/project/clusters/protect/container_host_security/index.md')
-rw-r--r--doc/user/project/clusters/protect/container_host_security/index.md59
1 files changed, 59 insertions, 0 deletions
diff --git a/doc/user/project/clusters/protect/container_host_security/index.md b/doc/user/project/clusters/protect/container_host_security/index.md
new file mode 100644
index 00000000000..102001d4f87
--- /dev/null
+++ b/doc/user/project/clusters/protect/container_host_security/index.md
@@ -0,0 +1,59 @@
+---
+stage: Protect
+group: Container Security
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
+---
+
+# Container Host Security
+
+Container Host Security in GitLab provides Intrusion Detection and Prevention capabilities that can
+monitor and (optionally) block activity inside the containers themselves. This is done by leveraging
+an integration with Falco to provide the monitoring capabilities and an integration with Pod
+Security Policies and AppArmor to provide blocking capabilities.
+
+## Overview
+
+Container Host Security can be used to monitor and block activity inside a container as well as to
+enforce security policies across the entire Kubernetes cluster. Falco profiles allow for users to
+define the activity they want to monitor for and detect. Among other things, this can include system
+log entries, process starts, file activity, and network ports opened. AppArmor is used to block any
+undesired activity via AppArmor profiles. These profiles are loaded into the cluster when
+referenced by Pod Security Policies.
+
+By default, Container Host Security is deployed into the cluster in monitor mode only, with no
+default profiles or rules running out-of-the-box. Activity monitoring and blocking begins only when
+users define profiles for these technologies.
+
+## Installation
+
+See the [installation guide](quick_start_guide.md) for the recommended steps to install the
+Container Host Security capabilities. This guide shows the recommended way of installing Container
+Host Security through GMAv2. However, it's also possible to do a manual installation through our
+Helm chart.
+
+## Features
+
+- Prevent containers from starting as root.
+- Limit the privileges and system calls available to containers.
+- Monitor system logs, process starts, files read/written/deleted, and network ports opened.
+- Optionally block processes from starting or files from being read/written/deleted.
+
+## Supported container orchestrators
+
+Kubernetes v1.14+ is the only supported container orchestrator. OpenShift and other container
+orchestrators aren't supported.
+
+## Supported Kubernetes providers
+
+The following cloud providers are supported:
+
+- Amazon EKS
+- Google GKE
+
+Although Container Host Security may function on Azure or self-managed Kubernetes instances, it isn't
+officially tested and supported on those providers.
+
+## Roadmap
+
+See the [Category Direction page](https://about.gitlab.com/direction/protect/container_host_security/)
+for more information on the product direction of Container Host Security.
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-11 07:21:16 +0300