Defenders > Console connection (Twistlock version 22.12.415)
I have 2 k8s clusters running on rke2. I deployed Twislock console + defenders on cluster 1 as a flux deployment (with a sops encrypted secrets containing twistlock admin credentials and license) which was successful.
Step 1: Cluster 1 configmap:
# -- Domain used for BigBang created exposed services, can be overridden by individual packages.
domain: cnap.app
# All this does right now is toggle GitRepositories, it is _not_ fully functional
offline: false
helmRepositories: []
# -- Global ImagePullPolicy value for all packages
imagePullPolicy: IfNotPresent
# ----------------------------------------------------------------------------------------------------------------------
# Istio
istio:
# -- Toggle deployment of Istio.
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/istio-controlplane.git
path: "./chart"
tag: "1.17.2-bb.0"
helmRepo:
repoName: "registry1"
chartName: "istio"
tag: "1.17.2-bb.0"
enterprise: false
ingressGateways:
public-ingressgateway:
type: "LoadBalancer" # or "NodePort"
kubernetesResourceSpec: {} # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
gateways:
public:
ingressGateway: "public-ingressgateway"
hosts:
- "*.{{ .Values.domain }}"
# -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
autoHttpRedirect:
enabled: true
tls:
key: ""
cert: ""
# -- Flux reconciliation overrides specifically for the Istio Package
flux: {}
# -- Values to passthrough to the istio-controlplane chart: https://repo1.dso.mil/big-bang/product/packages/istio-controlplane.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
istioOperator:
# -- Toggle deployment of Istio Operator.
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/istio-operator.git
path: "./chart"
tag: "1.17.2-bb.0"
helmRepo:
repoName: "registry1"
chartName: "istio-operator"
tag: "1.17.2-bb.0"
# -- Flux reconciliation overrides specifically for the Istio Operator Package
flux: {}
# -- Values to passthrough to the istio-operator chart: https://repo1.dso.mil/big-bang/product/packages/istio-operator.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# Monitoring
monitoring:
# -- Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager).
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/monitoring.git
path: "./chart"
tag: "43.1.2-bb.4"
helmRepo:
repoName: "registry1"
chartName: "monitoring"
tag: "43.1.2-bb.4"
# -- Flux reconciliation overrides specifically for the Monitoring Package
flux:
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SSO for monitoring components on and off
enabled: false
prometheus:
# -- Prometheus OIDC client ID
client_id: ""
# -- Prometheus OIDC client secret
client_secret: ""
alertmanager:
# -- Alertmanager OIDC client ID
client_id: ""
# -- Alertmanager OIDC client secret
client_secret: ""
grafana:
# -- Grafana OIDC client ID
client_id: ""
# -- Grafana OIDC client secret
client_secret: ""
# -- Grafana OIDC client scopes, comma separated, see https://grafana.com/docs/grafana/latest/auth/generic-oauth/
scopes: ""
allow_sign_up: true
role_attribute_path: "Viewer"
# -- Other options available, see package Documentation.
# -- Values to passthrough to the monitoring chart: https://repo1.dso.mil/big-bang/product/packages/monitoring.git
values:
# Istio hosts
istio:
prometheus:
hosts:
- prometheus.{{ .Values.domain }}
alertmanager:
hosts:
- alertmanager.{{ .Values.domain }}
grafana:
hosts:
- grafana.{{ .Values.domain }}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# Twistlock
#
twistlock:
# -- Toggle deployment of Twistlock.
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/twistlock.git
path: "./chart"
tag: "0.12.0-bb.0"
helmRepo:
repoName: "registry1"
chartName: "twistlock"
tag: "0.12.0-bb.0"
# -- Flux reconciliation overrides specifically for the Twistlock Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SAML SSO, requires a license and enabling the init job - see https://repo1.dso.mil/big-bang/product/packages/initialization.md
enabled: false
# -- SAML client ID
client_id: ""
# -- SAML Identity Provider. `shibboleth` is recommended by Twistlock support for Keycloak
# Possible values: okta, gsuite, ping, shibboleth, azure, adfs
provider_type: "shibboleth"
# -- Groups attribute (optional)
groups: ""
# -- Values to passthrough to the twistlock chart: https://repo1.dso.mil/big-bang/product/packages/twistlock.git
values:
# Pull secret for Iron Bank images
imagePullSecrets:
- name: private-registry
# init job for defenders deployment via api calls
init:
enabled: true
istio:
# -- Toggle istio integration
enabled: true
# -- Default twistlock peer authentication
mtls:
# -- STRICT = Allow only mutual TLS traffic,
# PERMISSIVE = Allow both plain text and mutual TLS traffic
mode: STRICT
console:
# -- Toggle vs creation
enabled: true
# -- Annotations for VS
annotations: {}
# -- Labels for VS
labels: {}
# -- Gateways for VS
#gateways:
# - istio-system/main
# -- Hosts for VS
hosts:
- twistlock.{{ .Values.domain }}
# -- Configuration of Twistlock's container defenders. This requires `init.enabled`=`true`, valid credentials, and a valid license.
defender:
enabled: true
clusterName: "il2-dev-cnap-neuvector" # p1-il2-dev-cnap-neuvector cluster
# tolerations:
# - operator: Exists
# -- Path to Docker socket. Leave blank to use /var/run/docker.sock
dockerSocket: "/run/k3s/containerd/containerd.sock"
selinux: false # set to `false` so gatekeeper doesn't block defenders deployment
privileged: false # so gatekeeper doesn't block defenders deployment. If selinux is true, this automatically gets set to false
# -- Sets the container security context dropped capabilities for the defenders
securityCapabilitiesDrop:
- ""
policies:
enabled: true
name: CNAP # prefix
vulnerabilities:
enabled: true
alertThreshold: medium
compliance:
enabled: true
# set to false, will be configured post deployment via cnap PCC IaC
runtime:
enabled: false
# -- The policy templates to use. Valid values are 'GDPR', 'DISA STIG', 'PCI', 'NIST SP 800-190', or 'HIPAA'
templates:
# - GDPR
- DISA STIG
# - PCI
- NIST SP 800-190
# - HIPAA
# -- If template does not apply, set policy to alert using this severity or higher. Valid values are 'low', 'medium', 'high', or 'critical'.
alertThreshold: medium
resources:
limits:
memory: 8Gi
cpu: 4000m
requests:
memory: 8Gi
cpu: 4000m
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------Step 2: Registered the dns entry (twistlock.cnap.app) for the elb created by the istion public-ingressgateway. So I can confirm access to (twistlock.cnap.app).
Step 3: Downloaded the Daemonset from cluster 1 and kubectl create -f daemonset.yaml on cluster 2. Although the defenders are all running I see this below in the logs, so obviously they are not listed on twistlock cluster 1 console:
ERRO 2023-10-04T02:19:02.921 defender.go:1614 No console connectivity wss://twistlock.cnap.app:8084
ERRO 2023-10-04T02:19:02.923 defender.go:1330 Failed to update host runtime policy cannot update policy, host profile must be initialized firstHaven't figured what I am doing wrong but this seems like a network issue. Unsure if this is on the istio side or the elb. I would appreciate some feedback.