From 69a6071ecb2d78758d71c17d7f46e34eaa290c05 Mon Sep 17 00:00:00 2001 From: Thomas Burton Date: Tue, 9 Jun 2020 12:43:10 -0400 Subject: [PATCH] Initial push to Public --- .gitlab-ci.yml | 14 ---- CHANGELOG.md | 5 ++ CODEOWNERS.txt | 1 + CONTRIBUTING.md | 22 +++++ README.md | 146 ++++++++++++++++++++++++++++++++- RELEASENOTES.md | 5 ++ console/kustomization.yaml | 4 + console/twistlock_console.yaml | 125 ++++++++++++++++++++++++++++ defender/build_defender.sh | 43 ++++++++++ 9 files changed, 350 insertions(+), 15 deletions(-) delete mode 100644 .gitlab-ci.yml create mode 100644 CHANGELOG.md create mode 100644 CODEOWNERS.txt create mode 100644 CONTRIBUTING.md create mode 100644 RELEASENOTES.md create mode 100644 console/kustomization.yaml create mode 100644 console/twistlock_console.yaml create mode 100755 defender/build_defender.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 179abb2..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,14 +0,0 @@ -stages: - - scan - -include: - - local: /jobs/scan/base.yml - -include: - - project: 'platform-one/private/big-bang/pipeline-templates' - file: '/jobs/scan/base.yml' - -scan container: - extends: .trivy scan - variables: - IMAGE: $CI_REGISTRY_IMAGE/console \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..8bcf44a --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,5 @@ +#Twistlock + +0.1.0 (06/15/2020) +Manifests for deploying Twistlock 20.04.196 + diff --git a/CODEOWNERS.txt b/CODEOWNERS.txt new file mode 100644 index 0000000..3d0f655 --- /dev/null +++ b/CODEOWNERS.txt @@ -0,0 +1 @@ +* @big-bang diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..0907891 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,22 @@ +# Contributing + +Thanks for contributing to this repository! + +This repository follows the following conventions: + +* [Semantic Versioning](https://semver.org/) +* [Keep a Changelog](https://keepachangelog.com/) +* [Conventional Commits](https://www.conventionalcommits.org/) + +Development requires the Kubernetes CLI tool as well as a local Kubernetes cluster. [KIND](https://github.com/kubernetes-sigs/kind) is recommended as a lightweight local option for standing up Kubernetes clusters. + +To contribute a change: + +1. Create a branch on the cloned repository with a descriptive name, prefixed with your name. For example, `gd/add-ingress` is an appropriate branch name. +2. Make the changes in code. +3. Write tests using [KUTTL](https://kuttl.dev) and [Conftest](https://conftest.dev) +4. Make commits using the [Conventional Commits](https://www.conventionalcommits.org/) format. This helps with automation for changelog. Update `CHANGELOG.md` in the same commit using the [Keep a Changelog](https://keepachangelog.com). Depending on tooling maturity, this step may be automated. +5. Open a merge request using one of the provided templates. If this merge request is solving a preexisting issue, add the issue reference into the description of the MR. +6. During this time, ensure that all new commits are rebased into your branch so that it remains up to date with the `development` branch. +7. Wait for a maintainer of the repository (see CODEOWNERS) to approve. +8. If you have permissions to merge, you are responsible for merging. Otherwise, a CODEOWNER will merge the commit. diff --git a/README.md b/README.md index 03a7e21..d50c304 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,146 @@ -# twistlock +# Twistlock + +## This should not go into production with license and token . + +## Twistlock under DSOP + +The Twistlock Platform provides vulnerability management and compliance across the application lifecycle by scanning images and serverless functions to prevent security and compliance issues from progressing through the development pipeline, and continuously monitoring all registries and environments. + +This installation follows the Twistlock documented guidance. Twistlock documentation can be found at: +https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/welcome.html + +The Twistlock Console is deployed as a part of the gitops. Once deployed the process of setting up daemonsets is currently a manual process. For this installation the following information is needed: + +### Prerequisites + +* Kubernetes cluster deployed +* Kubernetes config installed in `~/.kube/config` +* Elasticsearch and Kibana deployed to Kubernetes namespace + +Install kubectl +``` +brew install kubectl +``` +Install kustomize +``` +brew install kustomize +``` +### Deployment + +Clone repository + +``` +git clone https://repo1.dsop.io/platform-one/apps/twistlock.git +cd twstlock +``` +Apply kustomized manifest +``` +kubectl -k ./ +``` + +### Next steps + +The application needs a administrator, the license file needs to be installed, then a defender.yaml needs to be generated and deployed. This has been consolidated in a script called build_defender. + +The Variables required are as follows: +``` +$ //Environment +$ TWISTLOCK_CONSOLE_USER=Administrator +$ TWISTLOCK_CONSOLE_PASSWORD=< my password> +$ TWISTLOCK_EXTERNAL_ROUTE=twistlock.fences.dsop.io +$ TWISTLOCK_LICENSE= +$ TOKEN= +``` +This process requires kubectl to be installed and able to communicate with the DSOP cluster. + +#### Add an Administrator + +Initially there is no users associated with twistlock console. Go to the external URL and add an Administrator account and a password. Alternatively, run the following script: + +``` +//Add Administrator +if ! curl -k -H 'Content-Type: application/json' -X POST \ + -d "{\"username\": \"$TWISTLOCK_CONSOLE_USER\", \"password\": \"$TWISTLOCK_CONSOLE_PASSWORD\"}" \ + https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/signup; then + + echo "Error creating Twistlock Console user $TWISTLOCK_CONSOLE_USER" + exit 1 +fi +``` + +#### Install the license +The License can be added directly from the TWISTLOCK_EXTERNAL_ROUTE. When first logging in the admin user will be prompted for a license. The following script will install the license: + +``` +//License +if ! curl -k \ + -u $TWISTLOCK_CONSOLE_USER:$TWISTLOCK_CONSOLE_PASSWORD \ + -H 'Content-Type: application/json' \ + -X POST \ + -d "{\"key\": \"$TWISTLOCK_LICENSE\"}" \ + https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/settings/license; then + + echo "Error uploading Twistlock license to console" + exit 1 +fi +``` + +#### Install Defender with Twistcli + +This can be found in the Manage/System/Download. After download ensure the file is made executable. + +``` +$ chmod +x twistcli +``` +The "Bearer" token can be found in the twistlock application Manage/Authorization/User Certificates. Alternatively, run the following commands +``` +//Windows twistcli: + +curl --progress-bar -L -k --header "authorization: Bearer $TOKEN" https://twistlock.fences.dsop.io/api/v1/util/windows/twistcli.exe > twistcli.exe; +``` +``` +Linux twistcli: + +curl --progress-bar -L -k --header "authorization: Bearer $TOKEN" https://twistlock.fences.dsop.io/api/v1/util/twistcli > twistcli; chmod a+x twistcli; +``` +``` +Mac OS twistcli: + +curl --progress-bar -L -k --header "authorization: Bearer TOKEN" https://twistlock.fences.dsop.io/api/v1/util/osx/twistcli > twistcli; chmod a+x twistcli; +``` + +#### Install Defender + +1) Download Daemonset + +The following command can be authenticated by TOKEN or Username/Password. +``` +./twistcli defender export kubernetes --namespace twistlock --privileged --cri --monitor-service-accounts --monitor-istio --user $TWISTLOCK_CONSOLE_USER --password $TWISTLOCK_CONSOLE_PASSWORD --address https://$TWISTLOCK_EXTERNAL_ROUTE --cluster-address twistlock-console:8084 +``` +#####Download the daemonset.yaml. The default Image is set to teh Prisma server. We need to pull images from Platform 1. The image URL needs to be changed: +##### Image: registry.dsop.io/platform-one/apps/twistlock/defender:20.04.169 + +2) Install Defender +``` +kubectl apply -f defender.yaml +``` +Install Defender from the Console UI + +The Daemonset generator is located in the Twistlock Console Under Manage -> Defenders -> Deploy -> Daemonset +Select the following options: + +Choose the name that clients and Defenders use to access this Console - twistlock-console +Choose the port number that Defenders use to access this Console - 8084 +Choose the cluster orchestrator - kubernetes +NodeSelector - leave this blank +Monitor service accounts - On +Monitor Istio - On +Collect Deployment and Namespace labels - On +Use the official Twistlock registry - On (if possible) +Deploy Defenders with SELinux Policy - Off +Run Defenders as privileged - On +Nodes use Container Runtime Interface (CRI), not Docker - On +Nodes runs inside containerized environment - Off + + diff --git a/RELEASENOTES.md b/RELEASENOTES.md new file mode 100644 index 0000000..8bcf44a --- /dev/null +++ b/RELEASENOTES.md @@ -0,0 +1,5 @@ +#Twistlock + +0.1.0 (06/15/2020) +Manifests for deploying Twistlock 20.04.196 + diff --git a/console/kustomization.yaml b/console/kustomization.yaml new file mode 100644 index 0000000..e25c413 --- /dev/null +++ b/console/kustomization.yaml @@ -0,0 +1,4 @@ +namespace: twistlock + +resources: + - twistlock_console.yaml diff --git a/console/twistlock_console.yaml b/console/twistlock_console.yaml new file mode 100644 index 0000000..43af98c --- /dev/null +++ b/console/twistlock_console.yaml @@ -0,0 +1,125 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: twistlock +--- +apiVersion: v1 +kind: ConfigMap +data: + twistlock.cfg: "# _____ _ _ _ _ \n# |_ _|_ _(_)___| |_| | ___ ___| | __ \n# | | \\ \\ /\\ / / / __| __| |/ _ \\ / __| |/ / \n# | | \\ V V /| \\__ \\ |_| | (_) | (__| < \n# |_| \\_/\\_/ |_|___/\\__|_|\\___/ \\___|_|\\_\\\\ \n\n# This configuration file contains the setup parameters for Twistlock\n# This file is typically stored in the same directory as the installation script (twistlock.sh)\n# To reconfigure settings, update this configuration file and re-run twistlock.sh; state and unchanged settings will persist\n\n\n\n#############################################\n# Network configuration\n#############################################\n# Each port must be set to a unique value (multiple services cannot share the same port)\n###### Management Console ports #####\n# Sets the ports that the Twistlock management website listens on\n# The system that you use to configure Twistlock must be able to connect to the Twistlock Console on these ports\n# To disable the HTTP listener, leave the value empty (e.g. MANAGEMENT_PORT_HTTP=)\nMANAGEMENT_PORT_HTTP=${MANAGEMENT_PORT_HTTP-8081}\nMANAGEMENT_PORT_HTTPS=8083\n\n##### Inter-system communication port ##### \n# Sets the port for communication between the Defender(s) and the Console\nCOMMUNICATION_PORT=8084\n\n##### Certificate common names (optional) #####\n# Determines how to construct the CN in the Console's certificate\n# This value should not be modified unless instructed to by Twistlock Support\nCONSOLE_CN=$(hostname --fqdn 2>/dev/null); if [[ $? == 1 ]]; then CONSOLE_CN=$(hostname); fi\n# Determines how to construct the CN in the Defenders' certificates\n# Each Defender authenticates to the Console with this certificate and each cert must have a unique CN\n# These values should not be modified unless instructed to by Twistlock Support\nDEFENDER_CN=${DEFENDER_CN:-}\n\n#############################################\n# Twistlock system configuration\n#############################################\n###### Data recovery #####\n# Data recovery automatically exports the full Twistlock configuration to the specified path every 24 hours\n# Daily, weekly, and monthly snapshots are retained\n# The exported configuration can be stored on durable storage or backed up remotely with other tools\n# Sets data recovery state (enabled or disabled)\nDATA_RECOVERY_ENABLED=true\n# Sets the directory to which Twistlock data is exported\nDATA_RECOVERY_VOLUME=/var/lib/twistlock-backup\n\n##### Read only containers #####\n# Sets Twistlock containers' file-systems to read-only\nREAD_ONLY_FS=true\n\n##### Storage paths #####\n# Sets the base directory to store Twistlock local data (db and log files)\nDATA_FOLDER=/var/lib/twistlock\n\n##### Docker socket #####\n# Sets the location of the Docker socket file\nDOCKER_SOCKET=${DOCKER_SOCKET:-/var/run/docker.sock}\n# Sets the type of the Docker listener (TCP or NONE)\nDEFENDER_LISTENER_TYPE=${DEFENDER_LISTENER_TYPE:-NONE}\n\n#### SCAP (XCCDF) configuration ####\n# Sets SCAP state (enabled or disabled)\nSCAP_ENABLED=${SCAP_ENABLED:-false}\n\n#### systemd configuration ####\n# Installs Twistlock as systemd service\nSYSTEMD_ENABLED=${SYSTEMD_ENABLED:-false}\n\n#### userid configuration ####\n# Run Twistlock Console processes as root (default, twistlock user account)\n# Typically used to run Console on standard (tcp/443) privileged port for TLS\nRUN_CONSOLE_AS_ROOT=${RUN_CONSOLE_AS_ROOT:-false}\n\n#### SELinux configuration ####\n# If SELinux is enabled in dockerd, enable running Twistlock Console and Defender with a dedicated SELinux label\n# See https://docs.docker.com/engine/reference/run/#security-configuration\nSELINUX_LABEL=disable\n\n#############################################\n# High availability settings\n#############################################\n# Only to be used when the Console is deployed outside of a Kubernetes cluster\n# This native HA capability uses Mongo clustering and requires 3 or more instances\nHIGH_AVAILABILITY_ENABLED=false\nHIGH_AVAILABILITY_STATE=PRIMARY\nHIGH_AVAILABILITY_PORT=8086\n\n\n\n#############################################\n# Twistlock repository configuration\n#############################################\n# Sets the version tag of the Twistlock containers\n# Do not modify unless instructed to by Twistlock Support\nDOCKER_TWISTLOCK_TAG=_19_11_512\n" +metadata: + name: twistlock-console + namespace: twistlock +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: console + name: twistlock-console + namespace: twistlock +spec: + ports: + - name: communication-port + port: 8084 + - name: management-port-https + port: 8083 + - name: mgmt-http + port: 8081 + selector: + name: twistlock-console +--- +apiVersion: v1 +kind: ServiceAccount # Service Account is used for managing security context constraints policies in Openshift (SCC) +metadata: + name: twistlock-console + namespace: twistlock +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: twistlock-console + namespace: twistlock +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 100Gi +--- + +--- + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: twistlock-console + namespace: twistlock + labels: + name: twistlock-console +spec: + replicas: 1 + selector: + matchLabels: + name: twistlock-console + strategy: + type: Recreate + template: + metadata: + name: twistlock-console + namespace: twistlock + labels: + name: twistlock-console + spec: + restartPolicy: Always + serviceAccountName: twistlock-console + containers: + - name: twistlock-console + # This is the P1 repo. + image: registry.dsop.io/platform-one/apps/twistlock/console:20.04.169 + ports: + - name: mgmt-https + containerPort: 8083 + - name: communication + containerPort: 8084 + - name: mgmt-http + containerPort: 8081 + env: + - name: HIGH_AVAILABILITY_ENABLED + value: "false" + - name: CONFIG_PATH + value: /data/config/twistlock.cfg + - name: LOG_PROD + value: "true" + - name: DATA_RECOVERY_ENABLED + value: "true" + - name: COMMUNICATION_PORT + value: "8084" + - name: MANAGEMENT_PORT_HTTPS + value: "8083" + - name: MANAGEMENT_PORT_HTTP + value: "8081" + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - name: twistlock-config-volume + mountPath: "/data/config/" + - name: console-persistent-volume + mountPath: "/var/lib/twistlock" + subPath: "var/lib/twistlock" + - name: console-persistent-volume + mountPath: "/var/lib/twistlock-backup" + subPath: "var/lib/twistlock-backup" + - name: syslog-socket + mountPath: "/dev/log" + volumes: + - name: console-persistent-volume + persistentVolumeClaim: + claimName: "twistlock-console" + - name: twistlock-config-volume + configMap: + name: twistlock-console + - name: syslog-socket + hostPath: + path: "/dev/log" diff --git a/defender/build_defender.sh b/defender/build_defender.sh new file mode 100755 index 0000000..8a9ed62 --- /dev/null +++ b/defender/build_defender.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +#The "Bearer" token can be found in the twistlock application Manage/Authorization/User Certificates. Alternatively, run the following commands + +TWISTLOCK_CONSOLE_USER=Administrator +TWISTLOCK_CONSOLE_PASSWORD=Passw0rd! # Don't use thes +TWISTLOCK_EXTERNAL_ROUTE=twistlock.fences.dsop.io + +# set Twistlock console user/pass + +if ! curl -k -H 'Content-Type: application/json' -X POST \ + -d "{\"username\": \"$TWISTLOCK_CONSOLE_USER\", \"password\": \"$TWISTLOCK_CONSOLE_PASSWORD\"}" \ + https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/signup; then + + echo "Error creating Twistlock Console user $TWISTLOCK_CONSOLE_USER" + exit 1 +fi + +# Set Twistlock license. Using default user/pass + +if ! curl -k \ + -u $TWISTLOCK_CONSOLE_USER:$TWISTLOCK_CONSOLE_PASSWORD \ + -H 'Content-Type: application/json' \ + -X POST \ + -d "{\"key\": \"$TWISTLOCK_LICENSE\"}" \ + https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/settings/license; then + + echo "Error uploading Twistlock license to console" + exit 1 +fi + + + +curl -sSLk -u $TWISTLOCK_CONSOLE_USER:$TWISTLOCK_CONSOLE_PASSWORD https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/util/twistcli > twistcli + +chmod +x ./twistcli + +# Change the image tag to reflect Platform One registry: +# registry.dsop.io/platform-one/apps/twistlock/defender:20.04.169 + +./twistcli defender export kubernetes --namespace twistlock --privileged --cri --monitor-service-accounts --monitor-istio --user $TWISTLOCK_CONSOLE_USER --password $TWISTLOCK_CONSOLE_PASSWORD --address https://$TWISTLOCK_EXTERNAL_ROUTE --cluster-address twistlock-console:8084 + +# kubectl apply -f ./defender \ No newline at end of file -- GitLab