UNCLASSIFIED

Commit 69a6071e authored by thomas.burton's avatar thomas.burton
Browse files

Initial push to Public

parent b87e9164
stages:
- scan
include:
- local: /jobs/scan/base.yml
include:
- project: 'platform-one/private/big-bang/pipeline-templates'
file: '/jobs/scan/base.yml'
scan container:
extends: .trivy scan
variables:
IMAGE: $CI_REGISTRY_IMAGE/console
\ No newline at end of file
#Twistlock
0.1.0 (06/15/2020)
Manifests for deploying Twistlock 20.04.196
* @big-bang
# Contributing
Thanks for contributing to this repository!
This repository follows the following conventions:
* [Semantic Versioning](https://semver.org/)
* [Keep a Changelog](https://keepachangelog.com/)
* [Conventional Commits](https://www.conventionalcommits.org/)
Development requires the Kubernetes CLI tool as well as a local Kubernetes cluster. [KIND](https://github.com/kubernetes-sigs/kind) is recommended as a lightweight local option for standing up Kubernetes clusters.
To contribute a change:
1. Create a branch on the cloned repository with a descriptive name, prefixed with your name. For example, `gd/add-ingress` is an appropriate branch name.
2. Make the changes in code.
3. Write tests using [KUTTL](https://kuttl.dev) and [Conftest](https://conftest.dev)
4. Make commits using the [Conventional Commits](https://www.conventionalcommits.org/) format. This helps with automation for changelog. Update `CHANGELOG.md` in the same commit using the [Keep a Changelog](https://keepachangelog.com). Depending on tooling maturity, this step may be automated.
5. Open a merge request using one of the provided templates. If this merge request is solving a preexisting issue, add the issue reference into the description of the MR.
6. During this time, ensure that all new commits are rebased into your branch so that it remains up to date with the `development` branch.
7. Wait for a maintainer of the repository (see CODEOWNERS) to approve.
8. If you have permissions to merge, you are responsible for merging. Otherwise, a CODEOWNER will merge the commit.
# twistlock
# Twistlock
## This should not go into production with license and token .
## Twistlock under DSOP
The Twistlock Platform provides vulnerability management and compliance across the application lifecycle by scanning images and serverless functions to prevent security and compliance issues from progressing through the development pipeline, and continuously monitoring all registries and environments.
This installation follows the Twistlock documented guidance. Twistlock documentation can be found at:
https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/welcome.html
The Twistlock Console is deployed as a part of the gitops. Once deployed the process of setting up daemonsets is currently a manual process. For this installation the following information is needed:
### Prerequisites
* Kubernetes cluster deployed
* Kubernetes config installed in `~/.kube/config`
* Elasticsearch and Kibana deployed to Kubernetes namespace
Install kubectl
```
brew install kubectl
```
Install kustomize
```
brew install kustomize
```
### Deployment
Clone repository
```
git clone https://repo1.dsop.io/platform-one/apps/twistlock.git
cd twstlock
```
Apply kustomized manifest
```
kubectl -k ./
```
### Next steps
The application needs a administrator, the license file needs to be installed, then a defender.yaml needs to be generated and deployed. This has been consolidated in a script called build_defender.
The Variables required are as follows:
```
$ //Environment
$ TWISTLOCK_CONSOLE_USER=Administrator
$ TWISTLOCK_CONSOLE_PASSWORD=< my password>
$ TWISTLOCK_EXTERNAL_ROUTE=twistlock.fences.dsop.io
$ TWISTLOCK_LICENSE=
$ TOKEN=<Generated Bearer token Manage/Authentication/User Certificates>
```
This process requires kubectl to be installed and able to communicate with the DSOP cluster.
#### Add an Administrator
Initially there is no users associated with twistlock console. Go to the external URL and add an Administrator account and a password. Alternatively, run the following script:
```
//Add Administrator
if ! curl -k -H 'Content-Type: application/json' -X POST \
-d "{\"username\": \"$TWISTLOCK_CONSOLE_USER\", \"password\": \"$TWISTLOCK_CONSOLE_PASSWORD\"}" \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/signup; then
echo "Error creating Twistlock Console user $TWISTLOCK_CONSOLE_USER"
exit 1
fi
```
#### Install the license
The License can be added directly from the TWISTLOCK_EXTERNAL_ROUTE. When first logging in the admin user will be prompted for a license. The following script will install the license:
```
//License
if ! curl -k \
-u $TWISTLOCK_CONSOLE_USER:$TWISTLOCK_CONSOLE_PASSWORD \
-H 'Content-Type: application/json' \
-X POST \
-d "{\"key\": \"$TWISTLOCK_LICENSE\"}" \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/settings/license; then
echo "Error uploading Twistlock license to console"
exit 1
fi
```
#### Install Defender with Twistcli
This can be found in the Manage/System/Download. After download ensure the file is made executable.
```
$ chmod +x twistcli
```
The "Bearer" token can be found in the twistlock application Manage/Authorization/User Certificates. Alternatively, run the following commands
```
//Windows twistcli:
curl --progress-bar -L -k --header "authorization: Bearer $TOKEN" https://twistlock.fences.dsop.io/api/v1/util/windows/twistcli.exe > twistcli.exe;
```
```
Linux twistcli:
curl --progress-bar -L -k --header "authorization: Bearer $TOKEN" https://twistlock.fences.dsop.io/api/v1/util/twistcli > twistcli; chmod a+x twistcli;
```
```
Mac OS twistcli:
curl --progress-bar -L -k --header "authorization: Bearer TOKEN" https://twistlock.fences.dsop.io/api/v1/util/osx/twistcli > twistcli; chmod a+x twistcli;
```
#### Install Defender
1) Download Daemonset
The following command can be authenticated by TOKEN or Username/Password.
```
./twistcli defender export kubernetes --namespace twistlock --privileged --cri --monitor-service-accounts --monitor-istio --user $TWISTLOCK_CONSOLE_USER --password $TWISTLOCK_CONSOLE_PASSWORD --address https://$TWISTLOCK_EXTERNAL_ROUTE --cluster-address twistlock-console:8084
```
#####Download the daemonset.yaml. The default Image is set to teh Prisma server. We need to pull images from Platform 1. The image URL needs to be changed:
##### Image: registry.dsop.io/platform-one/apps/twistlock/defender:20.04.169
2) Install Defender
```
kubectl apply -f defender.yaml
```
Install Defender from the Console UI
The Daemonset generator is located in the Twistlock Console Under Manage -> Defenders -> Deploy -> Daemonset
Select the following options:
Choose the name that clients and Defenders use to access this Console - twistlock-console
Choose the port number that Defenders use to access this Console - 8084
Choose the cluster orchestrator - kubernetes
NodeSelector - leave this blank
Monitor service accounts - On
Monitor Istio - On
Collect Deployment and Namespace labels - On
Use the official Twistlock registry - On (if possible)
Deploy Defenders with SELinux Policy - Off
Run Defenders as privileged - On
Nodes use Container Runtime Interface (CRI), not Docker - On
Nodes runs inside containerized environment - Off
#Twistlock
0.1.0 (06/15/2020)
Manifests for deploying Twistlock 20.04.196
namespace: twistlock
resources:
- twistlock_console.yaml
apiVersion: v1
kind: Namespace
metadata:
name: twistlock
---
apiVersion: v1
kind: ConfigMap
data:
twistlock.cfg: "# _____ _ _ _ _ \n# |_ _|_ _(_)___| |_| | ___ ___| | __ \n# | | \\ \\ /\\ / / / __| __| |/ _ \\ / __| |/ / \n# | | \\ V V /| \\__ \\ |_| | (_) | (__| < \n# |_| \\_/\\_/ |_|___/\\__|_|\\___/ \\___|_|\\_\\\\ \n\n# This configuration file contains the setup parameters for Twistlock\n# This file is typically stored in the same directory as the installation script (twistlock.sh)\n# To reconfigure settings, update this configuration file and re-run twistlock.sh; state and unchanged settings will persist\n\n\n\n#############################################\n# Network configuration\n#############################################\n# Each port must be set to a unique value (multiple services cannot share the same port)\n###### Management Console ports #####\n# Sets the ports that the Twistlock management website listens on\n# The system that you use to configure Twistlock must be able to connect to the Twistlock Console on these ports\n# To disable the HTTP listener, leave the value empty (e.g. MANAGEMENT_PORT_HTTP=)\nMANAGEMENT_PORT_HTTP=${MANAGEMENT_PORT_HTTP-8081}\nMANAGEMENT_PORT_HTTPS=8083\n\n##### Inter-system communication port ##### \n# Sets the port for communication between the Defender(s) and the Console\nCOMMUNICATION_PORT=8084\n\n##### Certificate common names (optional) #####\n# Determines how to construct the CN in the Console's certificate\n# This value should not be modified unless instructed to by Twistlock Support\nCONSOLE_CN=$(hostname --fqdn 2>/dev/null); if [[ $? == 1 ]]; then CONSOLE_CN=$(hostname); fi\n# Determines how to construct the CN in the Defenders' certificates\n# Each Defender authenticates to the Console with this certificate and each cert must have a unique CN\n# These values should not be modified unless instructed to by Twistlock Support\nDEFENDER_CN=${DEFENDER_CN:-}\n\n#############################################\n# Twistlock system configuration\n#############################################\n###### Data recovery #####\n# Data recovery automatically exports the full Twistlock configuration to the specified path every 24 hours\n# Daily, weekly, and monthly snapshots are retained\n# The exported configuration can be stored on durable storage or backed up remotely with other tools\n# Sets data recovery state (enabled or disabled)\nDATA_RECOVERY_ENABLED=true\n# Sets the directory to which Twistlock data is exported\nDATA_RECOVERY_VOLUME=/var/lib/twistlock-backup\n\n##### Read only containers #####\n# Sets Twistlock containers' file-systems to read-only\nREAD_ONLY_FS=true\n\n##### Storage paths #####\n# Sets the base directory to store Twistlock local data (db and log files)\nDATA_FOLDER=/var/lib/twistlock\n\n##### Docker socket #####\n# Sets the location of the Docker socket file\nDOCKER_SOCKET=${DOCKER_SOCKET:-/var/run/docker.sock}\n# Sets the type of the Docker listener (TCP or NONE)\nDEFENDER_LISTENER_TYPE=${DEFENDER_LISTENER_TYPE:-NONE}\n\n#### SCAP (XCCDF) configuration ####\n# Sets SCAP state (enabled or disabled)\nSCAP_ENABLED=${SCAP_ENABLED:-false}\n\n#### systemd configuration ####\n# Installs Twistlock as systemd service\nSYSTEMD_ENABLED=${SYSTEMD_ENABLED:-false}\n\n#### userid configuration ####\n# Run Twistlock Console processes as root (default, twistlock user account)\n# Typically used to run Console on standard (tcp/443) privileged port for TLS\nRUN_CONSOLE_AS_ROOT=${RUN_CONSOLE_AS_ROOT:-false}\n\n#### SELinux configuration ####\n# If SELinux is enabled in dockerd, enable running Twistlock Console and Defender with a dedicated SELinux label\n# See https://docs.docker.com/engine/reference/run/#security-configuration\nSELINUX_LABEL=disable\n\n#############################################\n# High availability settings\n#############################################\n# Only to be used when the Console is deployed outside of a Kubernetes cluster\n# This native HA capability uses Mongo clustering and requires 3 or more instances\nHIGH_AVAILABILITY_ENABLED=false\nHIGH_AVAILABILITY_STATE=PRIMARY\nHIGH_AVAILABILITY_PORT=8086\n\n\n\n#############################################\n# Twistlock repository configuration\n#############################################\n# Sets the version tag of the Twistlock containers\n# Do not modify unless instructed to by Twistlock Support\nDOCKER_TWISTLOCK_TAG=_19_11_512\n"
metadata:
name: twistlock-console
namespace: twistlock
---
apiVersion: v1
kind: Service
metadata:
labels:
name: console
name: twistlock-console
namespace: twistlock
spec:
ports:
- name: communication-port
port: 8084
- name: management-port-https
port: 8083
- name: mgmt-http
port: 8081
selector:
name: twistlock-console
---
apiVersion: v1
kind: ServiceAccount # Service Account is used for managing security context constraints policies in Openshift (SCC)
metadata:
name: twistlock-console
namespace: twistlock
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: twistlock-console
namespace: twistlock
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
---
---
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: twistlock-console
namespace: twistlock
labels:
name: twistlock-console
spec:
replicas: 1
selector:
matchLabels:
name: twistlock-console
strategy:
type: Recreate
template:
metadata:
name: twistlock-console
namespace: twistlock
labels:
name: twistlock-console
spec:
restartPolicy: Always
serviceAccountName: twistlock-console
containers:
- name: twistlock-console
# This is the P1 repo.
image: registry.dsop.io/platform-one/apps/twistlock/console:20.04.169
ports:
- name: mgmt-https
containerPort: 8083
- name: communication
containerPort: 8084
- name: mgmt-http
containerPort: 8081
env:
- name: HIGH_AVAILABILITY_ENABLED
value: "false"
- name: CONFIG_PATH
value: /data/config/twistlock.cfg
- name: LOG_PROD
value: "true"
- name: DATA_RECOVERY_ENABLED
value: "true"
- name: COMMUNICATION_PORT
value: "8084"
- name: MANAGEMENT_PORT_HTTPS
value: "8083"
- name: MANAGEMENT_PORT_HTTP
value: "8081"
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: twistlock-config-volume
mountPath: "/data/config/"
- name: console-persistent-volume
mountPath: "/var/lib/twistlock"
subPath: "var/lib/twistlock"
- name: console-persistent-volume
mountPath: "/var/lib/twistlock-backup"
subPath: "var/lib/twistlock-backup"
- name: syslog-socket
mountPath: "/dev/log"
volumes:
- name: console-persistent-volume
persistentVolumeClaim:
claimName: "twistlock-console"
- name: twistlock-config-volume
configMap:
name: twistlock-console
- name: syslog-socket
hostPath:
path: "/dev/log"
#!/bin/bash
#The "Bearer" token can be found in the twistlock application Manage/Authorization/User Certificates. Alternatively, run the following commands
TWISTLOCK_CONSOLE_USER=Administrator
TWISTLOCK_CONSOLE_PASSWORD=Passw0rd! # Don't use thes
TWISTLOCK_EXTERNAL_ROUTE=twistlock.fences.dsop.io
# set Twistlock console user/pass
if ! curl -k -H 'Content-Type: application/json' -X POST \
-d "{\"username\": \"$TWISTLOCK_CONSOLE_USER\", \"password\": \"$TWISTLOCK_CONSOLE_PASSWORD\"}" \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/signup; then
echo "Error creating Twistlock Console user $TWISTLOCK_CONSOLE_USER"
exit 1
fi
# Set Twistlock license. Using default user/pass
if ! curl -k \
-u $TWISTLOCK_CONSOLE_USER:$TWISTLOCK_CONSOLE_PASSWORD \
-H 'Content-Type: application/json' \
-X POST \
-d "{\"key\": \"$TWISTLOCK_LICENSE\"}" \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/settings/license; then
echo "Error uploading Twistlock license to console"
exit 1
fi
curl -sSLk -u $TWISTLOCK_CONSOLE_USER:$TWISTLOCK_CONSOLE_PASSWORD https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/util/twistcli > twistcli
chmod +x ./twistcli
# Change the image tag to reflect Platform One registry:
# registry.dsop.io/platform-one/apps/twistlock/defender:20.04.169
./twistcli defender export kubernetes --namespace twistlock --privileged --cri --monitor-service-accounts --monitor-istio --user $TWISTLOCK_CONSOLE_USER --password $TWISTLOCK_CONSOLE_PASSWORD --address https://$TWISTLOCK_EXTERNAL_ROUTE --cluster-address twistlock-console:8084
# kubectl apply -f ./defender
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment