Secure your Containers Running On the Google Container Engine
Twistlock today announced the availability of Twistlock’s Container Security Suite on Google Cloud Platform and the participation in the Google Cloud Platform partner program.
Google, who has been running containers at scale for over a decade in their data centers, has moved to providing tools and technologies for developers to leverage their extensive experience in container computing. Google Container Engine (GKE), for instance, is a powerful cluster management and orchestration system for running Docker containers.
Collaborating with Google, we integrated Twistlock with Google Cloud Platform (GCP), providing container image scanning, access control functions, and the ability to enforce runtime security policies to protect containerized applications running on GCP.
Google Cloud Platform offers some of the best persistence options in the industry. With GCP, you can synchronously replicate computing tasks across the country with very little manual effort. Many of our customers who are building Internet-scale applications with containers are looking at GCP as a strategically important platform. That’s just one of the reasons why we are excited about being a Google Cloud Platform partner.
This blog post explains how Twistlock Container Security Suite works with Google Cloud Platform and how a user can leverage Twistlock technologies to protect their workloads in GCP. A Google blog explaining the integration from Google’s perspective can be found here.
Twistlock Container Security Suite on Google Cloud Platform
As far as users are concerned, there are three components to Twistlock Container Security Suite available on Google Cloud Platform.
- Console: The Twistlock Console is both a policy configuration portal and a central dashboard for all Twistlock tasks. GCP users can use the console to configure image scan policies, specify run time controls, and view the real-time security posture of all managed containers,
- Defender: A Twistlock Defender runs on the same node as protected container workloads. The Defender monitors container health, applies configuration policies, and reports container information back to the console. You will need one defender for each node on which you are running application containers.
- Registry Scanner: The Registry Scanner, which is the engine that performs vulnerability scanning for container registries, is a special Defender, which resides in a container on the same host as the Console. In this context, the registry we support is Google Container Registry.
On the backend, we run the Twistlock Intelligence Service, which supplies real-time vulnerability and threat intelligence to the Registry Scanners, Console, and Defenders. The Intelligence service is automatically provisioned with the Console; it resides in the Twistlock cloud and is not user facing.
Why use Twistlock for your workloads on Google Cloud Platform?
Twistlock is a purpose-built solution to secure containerized applications. We built our technologies from the ground up to be agile, lightweight, and extremely portable, exactly as the container workloads that you have.
Twistlock’s technologies are easy to install on GCP. With Twistlock, GCP users can
- Enforce image security and compliance: You can use Twistlock to scan container images stored in Google Container Registry, detect possible CVE vulnerabilities or violations to configuration policies. Twistlock outputs actionable vulnerability data, which you can use to guide your remediation steps.
- Detect runtime threats and anomalies: If you have a running container cluster, managed by the Container Engine (GKE), you can leverage GKE to install Twistlock Defenders to protect your running containers. More specifically, you can detect the existence of active threats, e.g., a process is communicating with known malicious IP’s, and runtime anomalies. You can take corrective actions, such as raising an alert, blocking a user access, stopping a running container or blocking a vulnerable container being launched at the first place.
- Gain real-time visibility of your container cluster. Twistlock’s dashboard allows you to get real-time insight of vulnerability information, configuration errors, policy violations, user access patterns and corrective actions in both Container Registry and Container Engine.
Twistlock’s technologies integrate with Container Registry and Container Engine so you can manage your security policies consistently from development to production. For instance, if you have a policy that stipulates that no containers should enable inbound SSH access, Twistlock can scan static container images in the registry to ensure that no image includes SSH. Additionally in runtime, Twistlock can monitor traffic to detect and report policy-violating SSH connections.
To learn more, read Google’s blog on Container Registry here.
Start Twistlock for Google Cloud Platform
We are offering a 60-day free trial program to Google Cloud Platform users. To take advantage of this offering, please sign up with a free trial account here. Once we have your account set up, we will establish a batch install script for you. The steps you need to follow are the following:
Step I: Deploy Twistlock Console and Registry Scanner
- Go to GCP, and request a VM from Google Cloud Platform (or multiple VMs for H/A requirements)
- Take our batch install script and install the Twistlock Console and Registry Scanner inside the VM.
Step 2: Access the Console and download the corresponding twistlock-rc.yaml and twistlock-secrets.yaml files for your environment.
Step 3: Install the Twistlock Defender to all nodes need to be protected.
For Twistlock Defenders, one Defender must run on each host that is running containers that you wish to protect, A Defender itself is a privileged container with the main app running as root. To run Twistlock Defenders, you must meet the following requirements.
- Volume sharing: The following volumes are required to be shared with the Defender container:
- /var/run/docker.sock – to access the Docker daemon API
- /dev/log – to write log information to syslog
- /usr/bin/docker – to cover audit requirements [section 1.8 in CIS Benchmark]
- Secure communication: A Twistlock Defender communicates only to the Twistlock Console via a mutually authenticated channel. The Defender always initiates the connection to the Console, so there is no need for an open port on the Defender. A Defender and the Console will mutually authenticate before a TLS connection is established. We recommend using Kubernetes secrets to propagate the Console’s TLS certificate to each Defender.
- Anti-affinity: To ensure that there is exactly one Defender running on each node, we use a Replication Controller to manage the deployment of Twistlock Defender. The Replication Controller uses a designated port, 9998, and a specified number of nodes to ensure there is one and only one Defender running on each node.
To create defenders, run
kubectl create -f twistlock-secret.yaml
kubectl create -f twistlock-rc.yaml
To find out more about Twistlock for Google Cloud Platform, please go to https://www.twistlock.com/google-cloud-security-solution/ or contact us at email@example.com.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
How My Company (Teckro) Uses ContainersRead the Blog
Mitigating CVE-2019-5736 Impacting RunC and DockerRead the Blog
From Agile to DevSecOps and DevOps SecurityRead the Blog
What’s Next for Cloud-Native Infrastructure Technology?Read the Blog
Cloud Native Security Beyond Your Cloud Vendor’s ToolsRead the Blog