UNCLASSIFIED - NO CUI

Skip to content

Twistlock Hub and Spoke Virtual Service

The Twistlock defenders talk to the Twistlock console over port 8084 (see This Network Policy. If deploying a hub/spoke model where Twistlock Defenders want to talk connect to a twistlock instance in another cluster, a different VirtualService is required to expose port 8084 from Twistlock. This matches that two different ports should be open to the console: https://docs.twistlock.com/docs/compute_edition_21_04/install/install_kubernetes.html#firewalls-and-ports

Additionally, the websocket that gets created doesn't look like it supports HTTP, and thus requires a TCP connection and passthrough (i.e. new IngressGateway/Gateway).

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: twistlock-defender
  namespace: twistlock
spec:
  gateways:
    - twistlock-defender # new gateway dedicated to the passthrough
  hosts:
    - twistlock-defenders-ingress.bigbang.dev # new virtualservice for defenders to connect to twistlock.  Find a better name.
  tcp:
    - match:
        - port: 8084
      route:
        - destination:
            host: twistlock-console.twistlock.svc.cluster.local
            port:
              number: 8084

UNCLASSIFIED - NO CUI