This guide demonstrates how to deploy Twistlock Defenders outside the OpenShift cluster where Twistlock Console is running. You need to expose the Twistlock-Console service’s TCP ports 8083 and 8084 as external OpenShift routes. Each route will be an unique, fully qualified domain name. In this example, you deploy Twistlock Defenders as a DaemonSet in a second OpenShift cluster and to a Windows Server 2016 with Containers node. Twistlock API calls are made to the Twistlock-Console external OSE router https://console1.apps.jonathan.lab.twistlock.com The Twistlock Defenders will communicate to the Console via wss://defenders.apps.jonathan.lab.twistlock.com:443
The Twistlock Console is fully operational, Twistlock OpenShift Deployment guide
An existing OpenShift external route to the Twistlock-Console’s TCP port 8083 (Twistlock UI and API)
All commands are run from a system that is external to the OpenShift Cluster using the oc and twistcli commands.
Log into the OpenShift Cluster running the Twistlock Console.
Go to Twistlock Project > Applications > Routes.
Create New Route.
Name: twistlock-defender.
Hostname: defenders.apps.jonathan.lab.twistlock.com.
Target Port: 8084 → 8084.
Security:
TLS Termination: Passthrough.
Insecure Traffic: Redirect.
Add the new route to the Twistlock Console’s SubjectAlternativeName.
In the Twistlock Console go to Manage > Defenders > Names.
Click Add SAN.
Add the new route FQDN defenders.apps.jonathan.lab.twistlock.com.
Using the twistcli tool generate the Twistlock Defender defender.yaml file.
Run the command:
$ linux/twistcli defender export openshift \ --address https://console1.apps.jonathan.lab.twistlock.com \ --cluster-address defenders.apps.jonathan.lab.twistlock.com \ --namespace twistlock \ --selinux-enabled
Edit the resulting defender.yaml and change:
- name: WS_ADDRESS
value: wss://defenders.apps.jonathan.lab.twistlock.com:8084
to:
- name: WS_ADDRESS
value: wss://defenders.apps.jonathan.lab.twistlock.com:443
oc login to the OpenShift Cluster you will be deploying the Twistlock Defenders to.
Create the Twistlock Project oc new-project twistlock.
Deploy the Twislock Defender daemonset oc create -f ./defender.yaml.
The Defenders in the second OpenShift Cluster will appear in the Twistlock Console’s Manage > Defenders > Manage.
Log into Twistlock Console.
Go to Manage > Defenders > Deploy.
1.a = console1.apps.jonathan.lab.twistlock.com.
1.b = Docker on Windows.
Copy the powershell script that is generated in 1.c.
Modify the following in the script:
Remove “:8083” from the -Uri.
-Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1"
Change the -consoleCN to the twistlock-defender FQDN and add the -wsPort 443 variable.
-consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443
The resulting script looks similar to the following:
add-type "using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; }}"; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy; Invoke-WebRequest -Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1" -Headers @{"authorization" = "Bearer <token>" } -OutFile defender.ps1; .\defender.ps1 -type dockerWindows -consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443 -install
On the Windows Server node, run the script in a Powershell x64 shell.
The Windows Twistlock Defender will appear in Manage > Defenders > Manage.