| Stage | Protect |
| Maturity | Minimal |
| Content Last Reviewed | 2020-09-15 |
Thanks for visiting this category direction page on Container Network Security in GitLab. This page belongs to the Container Security group of the Protect stage and is maintained by Sam White (swhite@gitlab.com).
This direction page is a work in progress, and everyone can contribute:
Container Network Security involves filtering and securing the network traffic inside a containerized environment to enforce a least privilege access model and to block attacks at the network layer whenever possible. Although this category is currently at a minimal maturity level, the end goal is to provide a solution that includes the following key features and capabilities:
The long-term goal and intent is to support these capabilities across containerized environments. We plan to start with support for Kubernetes (including self-hosted Kubernetes, GKE, and EKS) and later add support for other cloud containerized environments such as Openshift or serverless. We do not plan to add support for non-containerized environments.
We are planning to build a Container Network Security solution that is cloud native, easy to use, and tightly integrated with the rest of GitLab. Our underlying architecture will combine several technologies to create a full-featured solution while also simplifying and unifying the management experience to look and feel like a single, easy-to-use product. We plan to be both a network-based IDS and an IPS, allowing users to choose to either log, alert, or block any activity that is detected in their containerized environments.
Some of the top detection and protection capabilities that are planned include network firewalling, segmentation, signature blocking, and behavior analytics. We plan to provide an intuitive policy editor to simplify the administration of the tool. We also plan to surface actionable alerts and logs inside GitLab to allow for a simple triage and response workflow to detected attacks. Longer-term we plan to add support for serverless applications as well as other container management tools beyond Kubernetes.
Q3 FY'21 - (August 2020 - October 2020)
Q4 FY'21 - (November 2020 - January 2021)
Q1 FY'22 - (February 2021 - April 2021)
Q2 FY'22 - (May 2021 - July 2021)
Q3 FY'22 - (August 2021 - October 2021)
In 13.1 we added the ability to view Network Policies in the GitLab UI and to enable or disable those policies. We then significantly extended the policy management functionality in 13.4 to also allow for creating, editing, and deleting of Network Policies.
Next, for 13.5, we plan to allow users to configure policies to send an Alert to GitLab. In addition, we plan to provide a minimal interface for viewing and triaging those Alerts.
We are not currently planning to do the following:
We plan to measure the success of this category based on the total volume of traffic that is inspected by our Container Network Security solution across our entire customer base.
Current solutions that offer container network security are point solutions. GitLab can differentiate from other offerings by providing security that is embedded into GitLab managed Kubernetes clusters and tightly integrated into the rest of the GitLab product. Some of the current offerings are free, while others are proprietary.
Some of the solutions that provide container network security include the following products (list taken from eSecurity Planet):
Additionally, Cilium and Calico are popular open source projects that provide Container Network Security capabilities. GitLab has embedded Cilium into GitLab to allow users to create Network Policies.
This category is part of the market defined by Gartner as the Cloud Workload Protection Platforms (CWPP) Market.
