Twistlock Hub and Spoke Virtual Service
The Twistlock defenders talk to the Twistlock console over port 8084 (see This Network Policy. If deploying a hub/spoke model where Twistlock Defenders want to talk connect to a twistlock instance in another cluster, a different VirtualService is required to expose port 8084 from Twistlock. This matches that two different ports should be open to the console: https://docs.twistlock.com/docs/compute_edition_21_04/install/install_kubernetes.html#firewalls-and-ports
Additionally, the websocket that gets created doesn't look like it supports HTTP, and thus requires a TCP connection and passthrough (i.e. new IngressGateway/Gateway).
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: twistlock-defender
namespace: twistlock
spec:
gateways:
- twistlock-defender # new gateway dedicated to the passthrough
hosts:
- twistlock-defenders-ingress.bigbang.dev # new virtualservice for defenders to connect to twistlock. Find a better name.
tcp:
- match:
- port: 8084
route:
- destination:
host: twistlock-console.twistlock.svc.cluster.local
port:
number: 8084