1. Overview

This article describes the run-time characteristics of a typical Twistlock deployment. This information is provided for planning and estimation purposes.

System performance depends on many factors outside of our control. For example, heavily loaded hosts have fewer available resources than hosts with balanced workloads.

2. Scale

Twistlock has been tested and optimized to support up to 5,000 Defenders per Console. If you have an environment that requires more than 5,000 Defenders, deploy a scale project.

3. Scanning performance

This section describes the resources consumed by Twistlock Defender during a scan. Measurements were taken on a test system with 1GB RAM, 8GB storage, and 1 CPU core.

3.1. Host scans

Host scans consume the following resources:

Resource Measured consumption

Memory

10-15%

CPU

1%

Time to complete a host scan

1 second

3.2. Container scans

Container scans consume the following resources:

Resource Measured consumption

Memory

10-15%

CPU

1%

Time to complete a container scan

1-5 seconds per container

3.3. Image scans

When an image is first scanned, Twistlock caches its contents so that subsequent scans run more quickly. The first image scan, when there is no cache, consumes the following resources:

Resource Measured consumption

Memory

10-15%

CPU

2%

Time to complete an image scan.

1-10 seconds per image. (Images are estimated to be 400-800 MB in size.)

Scans of cached images consume the following resources:

Resource Measured consumption

Memory

10-15%

CPU

2%

Time to complete an image scan

1-5 seconds per image. (Images are estimated to be 400-800 MB in size.)

4. Real-world system performance

Each release, Twistlock tests performance in a scale out environment that replicates a real-world workload and configuration. The test environment is built on a Kubernetes cluster with the following properties:

  • Hosts: ≥ 900

  • Hardware: 1 vCPU, 3.75 GB memory

  • Operating system: Container-Optimized OS

  • Images: 6000

  • Containers: 6000 (density of 6.7 containers per host)

The results are collected over the course of a day. The default vulnerability policy (alert on everything) and compliance policy (alert on critical and high issues) are left in place. CNNF is enabled.

Resource consumption:

The following table shows normal resource consumption.

Component Memory (RAM) CPU (single core)

Console

550 MB

<2%

Defender

53 MB

<2%

Scan times:

The following table shows scan performance.

Scan type Resource count Scan time

Image scan

5762 images

150 seconds

Host scan

900 hosts

5 seconds

Container scan

5751 containers

18 seconds