Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Category Direction - Container Network Security

Defend

   
Stage Defend
Maturity Minimal
Content Last Reviewed 2020-05-29

Introduction and how you can help

Thanks for visiting this category direction page on Container Network Security in GitLab. This page belongs to the Container Security group of the Defend stage and is maintained by Sam White (swhite@gitlab.com).

This direction page is a work in progress, and everyone can contribute:

Overview

Container Network Security involves filtering and securing the network traffic inside a containerized environment to enforce a least privilege access model and to block attacks at the network layer whenever possible. Although this category is currently at a minimal maturity level, the end goal is to provide a solution that includes the following key features and capabilities:

The long-term goal and intent is to support these capabilities across containerized environments. We plan to start with support for Kubernetes (including self-hosted Kubernetes, GKE, and EKS) and later add support for other cloud containerized environments such as Openshift or serverless. We do not plan to add support for non-containerized environments.

Target Audience

Where we are Headed

We are planning to build a Container Network Security solution that is cloud native, easy to use, and tightly integrated with the rest of GitLab. Our underlying architecture will combine several technologies to create a full-featured solution while also simplifying and unifying the mangement experience to look and feel like a single, easy-to-use product. We plan to be both a network-based IDS and an IPS, allowing users to choose to either log, alert, or block any activity that is detected in their containerized environments.

Some of the top detection and protection capabilities that are planned include network firewalling, segmentation, signature blocking, and behavior analytics. We plan to provide an intuitive policy editor to simplify the administration of the tool. We also plan to surface actionable alerts and logs inside GitLab to allow for a simple triage and response workflow to detected attacks. Longer-term we plan to add support for serverless applications as well as other container management tools beyond Kubernetes.

What is our Vision (Long-term Roadmap)

Q2 FY'21 - (April 2020 - July 2020)

Q3 FY'21 - (August 2020 - October 2020)

Q4 FY'21 - (November 2020 - January 2021)

Q1 FY'22 - (February 2021 - April 2021)

What's Next & Why (Near-term Roadmap)

In 13.0 we added the ability to export container network security logs to a SIEM or central logging solution.git

Our next steps, planned for 13.1 are to add more visibility around how to turn Container Network Policies on and off, as well as an initial, basic policy management UI.

What is Not Planned Right Now

We are not currently planning to do the following:

Maturity Plan

Planned to Viable

User success metrics

We plan to measure the success of this category based on the total volume of traffic that is inspected by our Container Network Security solution across our entire customer base.

Competitive Landscape

Current solutions that offer container network security are point solutions. GitLab can differentiate from other offerings by providing security that is embedded into GitLab managed Kubernetes clusters and tightly integrated into the rest of the GitLab product. Some of the current offerings are free, while others are proprietary.

Some of the solutions that provide container network security include the following products (list taken from eSecurity Planet):

Additionally, Cilium and Calico are popular open source projects that provide Container Network Security capabilities. GitLab has embedded Cilium into GitLab to allow users to create Network Policies.

Analyst Landscape

This category is part of the market defined by Gartner as the Cloud Workload Protection Platforms (CWPP) Market.

GIT is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license