Twistlock software consists of two components: Console and Defender. Install Twistlock in two steps. First, install Console. Then install Defender.
Console is Twistlock’s management interface. It lets you define policy and monitor your environment. Console is delivered as a container image.
Defender protects your environment according to the policies set in Console. There are a number of Defender types, each designed to protect a specific resource type.
Install one Console per environment. Here, environment is loosely defined because the scope differs from organization to organization. Some will run a single instance of Console for their entire environment. Others will run an instance of Console for each of their prod, staging, and dev environments. Twistlock supports virtually any topology.
The primary concern for most customers first getting started with Twistlock is securing their container environment. To do this, install Container Defender on every host that runs containers. Container orchestrators typically provide native capabilities for deploying an agent, such as Defender, to every node in the cluster. Twistlock leverages these capabilities to install Defender. For example, Kubernetes and OpenShift, offer DaemonSets, which guarantee that an agent runs on every node in the cluster. Twistlock Defender, therefore, is deployed in Kubernetes and OpenShift clusters as a DaemonSet.
In this section, you’ll find dedicated install guides for all popular container platforms. Each guide shows how to install Console and Defender for that given platform.
As you adopt additional cloud-native technologies, Twistlock can be extended to protect those environments too. Deploy the Defender type best suited for the job. For example, today you might use Amazon EKS (Kubernetes) clusters to run your apps. This part of your environment would be protected by Container Defender. Later you might adopt AWS Lambda functions. This part of your environment would be secured by Serverless Defender. Extending Twistlock to protect other types of cloud-native technologies calls for deploying the right Defender type.
All Defenders, regardless of their type, report back to Console, letting you secure a hybrid environment with a single tool. The main criteria for installing Defender is that it can connect to Console. Defender connects to Console via websocket over port 8084 to retrieve policies and send data. The following diagram shows the key connections.
Start your install with one of our dedicated guides.
Install procedure | Description |
---|---|
Simple, quick install of Twistlock on a single, stand-alone host. Installs both Console and Defender onto a host. Suitable for evaluating Twistlock in a small, self-contained environment. You can extend the environment by installing Defender on additonal hosts. |
|
Twistlock runs on any implementation of Kubernetes, whether you build the cluster from scratch or use a managed solution (also known as Kubernetes as a service). We’ve tested and validated the install on: In some cases, there is a dedicated section for installing on a specific cloud provider’s managed solution. When there is no dedicated section, use the generic install method. |
|
Twistlock offers native support for OpenShift. Install Console as a ReplicationController and Defenders as a DaemonSet. |
|
Pivotal Container Service (PKS) is built on the latest stable OSS distribution of Kubernetes. Twistlock always supports the latest version of Kubernetes, so installing Twistlock on PKS is easy. Follow our dedicated PKS install guide, which mirrors the Kubernetes install flow. |
|
Twistlock supports Docker Swarm using Swarm-native features. Deploy Console as a service and rely on Swarm to provide built-in high availability. Then deploy Defender as a global service, which guarantees that Defender is automatically deployed to each worker node in the cluster. |
|
To install Twistlock, deploy Console to your cluster with a task definition. Then configure the launch configuraration for cluster members to download and run Defenders, guaranteeing that every node is protected. |
|
Twistlock supports DC/OS or Mesos clusters that use either the Kubernetes or Marathon scheduler. For the Kubernetes scheduler, use our standard Kubernetes install procedure. For the Marathon scheduler, install Console using the twistlock.sh install script. Then deploy Defenders to the cluster as a Marathon application, which guarantees that each node in the cluster runs an instance of Defender. |
|
Install Defender on Windows hosts running containers. Defender is installed using a PowerShell script. Note that while Defenders can run on both Windows and Linux hosts, Console can only run on Linux. As you would expect, Windows Defenders are designed to interoperate with the Linux-based Console to send data and retrieve policy. |
All network traffic is encrypted with TLS (https) for User to Console communication. Likewise, all Defender to Console communication is encrypted with TLS (WSS).
The Twistlock database is not encrypted at rest, however all credentials and otherwise secure information is encrypted with AES 256 bit encryption.
If you require data at rest to be encrypted, then underlying persistence storage /var/lib/twistlock can be mounted with one of the many options that support this.