The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
| Stage | Protect |
| Maturity | Minimal |
| Content Last Reviewed | 2021-01-29 |
Thanks for visiting this category direction page on Container Network Security in GitLab. This page belongs to the Container Security group of the Protect stage and is maintained by Sam White (swhite@gitlab.com).
This direction page is a work in progress, and everyone can contribute. We welcome feedback, bug reports, feature requests, and community contributions.
/label ~"devops::protect" ~"Category:Container Network Security" ~"group::container security".
We believe everyone can contribute and so if you wish to contribute here is how to get started.
Container Network Security involves filtering and securing the network traffic inside a containerized environment to enforce a least privilege access model and to block attacks at the network layer whenever possible. Although this category is currently at a minimal maturity level, the end goal is to provide a solution that includes the following key features and capabilities:
The long-term goal and intent is to support these capabilities across containerized environments. We plan to start with support for Kubernetes (including self-hosted Kubernetes, GKE, and EKS) and later add support for other cloud containerized environments such as Openshift or serverless. We do not plan to add support for non-containerized environments.
We are planning to build a Container Network Security solution that is cloud native, easy to use, and tightly integrated with the rest of GitLab. Our underlying architecture will combine several technologies to create a full-featured solution while also simplifying and unifying the management experience to look and feel like a single, easy-to-use product. We plan to be both a network-based IDS and an IPS, allowing users to choose to either log, alert, or block any activity that is detected in their containerized environments.
Some of the top detection and protection capabilities that are planned include network firewalling, segmentation, signature blocking, and behavior analytics. We plan to provide an intuitive policy editor to simplify the administration of the tool. We also plan to surface actionable alerts and logs inside GitLab to allow for a simple triage and response workflow to detected attacks. Longer-term we plan to add support for serverless applications as well as other container management tools beyond Kubernetes.
To reach the Viable Maturity level, we will need to implement the following features:
In 13.9, we plan to allow users to configure Network Policies policies to send an Alert to GitLab. In addition, we plan to provide a minimal interface for viewing and triaging those Alerts. After we complete this work, we plan to temporarily defer future work on this category in favor of allocating our resources toward the Security Orchestration and Container Scanning categories. Community contributions are always welcome, and it is likely that additional Gitlab resources will be put towards this category again at some point in the future.
We are not currently planning to do the following:
We plan to measure the success of this category based on the total volume of traffic that is inspected by our Container Network Security solution across our entire customer base.
Current solutions that offer container network security are point solutions. GitLab can differentiate from other offerings by providing security that is embedded into GitLab managed Kubernetes clusters and tightly integrated into the rest of the GitLab product. Some of the current offerings are free, while others are proprietary.
Some of the solutions that provide container network security include the following products (list taken from eSecurity Planet):
Additionally, Cilium and Calico are popular open source projects that provide Container Network Security capabilities. GitLab has embedded Cilium into GitLab to allow users to create Network Policies.
This category is part of the market defined by Gartner as the Cloud Workload Protection Platforms (CWPP) Market.
