1. Overview

This guide demonstrates how to deploy Twistlock Defenders outside the OpenShift cluster where Twistlock Console is running. You need to expose the Twistlock-Console service’s TCP ports 8083 and 8084 as external OpenShift routes. Each route will be an unique, fully qualified domain name. In this example, you deploy Twistlock Defenders as a DaemonSet in a second OpenShift cluster and to a Windows Server 2016 with Containers node. Twistlock API calls are made to the Twistlock-Console external OSE router https://console1.apps.jonathan.lab.twistlock.com The Twistlock Defenders will communicate to the Console via wss://defenders.apps.jonathan.lab.twistlock.com:443

Prerequisites

  • The Twistlock Console is fully operational, Twistlock OpenShift Deployment guide

  • An existing OpenShift external route to the Twistlock-Console’s TCP port 8083 (Twistlock UI and API)

2. OpenShift and Twistlock Console configuration

Procedure

All commands are run from a system that is external to the OpenShift Cluster using the oc and twistcli commands.

  1. Log into the OpenShift Cluster running the Twistlock Console.

  2. Go to Twistlock Project > Applications > Routes.

  3. Create New Route.

    1. Name: twistlock-defender.

    2. Hostname: defenders.apps.jonathan.lab.twistlock.com.

    3. Target Port: 8084 → 8084.

    4. Security:

      • TLS Termination: Passthrough.

      • Insecure Traffic: Redirect.

        external defender openshift router
  4. Add the new route to the Twistlock Console’s SubjectAlternativeName.

    1. In the Twistlock Console go to Manage > Defenders > Names.

    2. Click Add SAN.

    3. Add the new route FQDN defenders.apps.jonathan.lab.twistlock.com.

      external defender openshift san

3. Deploy Twistlock Defender Daemonset in Second OpenShift Cluster

Procedure

Using the twistcli tool generate the Twistlock Defender defender.yaml file.

  1. Run the command:

    $ linux/twistcli defender export openshift \
      --address https://console1.apps.jonathan.lab.twistlock.com \
      --cluster-address defenders.apps.jonathan.lab.twistlock.com \
      --namespace twistlock \
      --selinux-enabled
  2. Edit the resulting defender.yaml and change:

      - name: WS_ADDRESS
                value: wss://defenders.apps.jonathan.lab.twistlock.com:8084

    to:

      - name: WS_ADDRESS
                value: wss://defenders.apps.jonathan.lab.twistlock.com:443
  3. oc login to the OpenShift Cluster you will be deploying the Twistlock Defenders to.

  4. Create the Twistlock Project oc new-project twistlock.

  5. Deploy the Twislock Defender daemonset oc create -f ./defender.yaml.

  6. The Defenders in the second OpenShift Cluster will appear in the Twistlock Console’s Manage > Defenders > Manage.

    external defender openshift ds

4. Deploy Twistlock Defender on Windows Server 2016 w/ Containers Node

Procedure

  1. Log into Twistlock Console.

  2. Go to Manage > Defenders > Deploy.

    1. 1.a = console1.apps.jonathan.lab.twistlock.com.

    2. 1.b = Docker on Windows.

      external defender openshift windows
  3. Copy the powershell script that is generated in 1.c.

  4. Modify the following in the script:

    1. Remove “:8083” from the -Uri.

      -Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1"
    2. Change the -consoleCN to the twistlock-defender FQDN and add the -wsPort 443 variable.

      -consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443
  5. The resulting script looks similar to the following:

    add-type "using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; }}"; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy; Invoke-WebRequest -Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1" -Headers @{"authorization" = "Bearer <token>" } -OutFile defender.ps1; .\defender.ps1 -type dockerWindows -consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443 -install
  6. On the Windows Server node, run the script in a Powershell x64 shell.

  7. The Windows Twistlock Defender will appear in Manage > Defenders > Manage.

    external defender openshift windowsnode