At Twistlock, we make sure our security solution runs on all the platforms you use. With >100 years of Microsoft tenure working at Twistlock, you can rightfully assume that Azure is near to our hearts!

Recently, Microsoft announced their managed Kubernetes offering in Azure, named Azure Kubernetes Service (AKS). Following the announcement, I wanted to create a summary of the powerful features Twistlock offers that scale directly with AKS. Deploying Twistlock within a Kubernetes Cluster is a relatively simple task, using capabilities that are native to Kubernetes. The Twistlock Console, the central dashboard to view your environment, is deployed as a Replication Controller (high availability) and Twistlock Defenders are deployed within a DaemonSet (node coverage).

Microsoft also offers the ability to run containerized services within Azure Service Fabric (ASF), and some of our customers have chosen to use it to run their containers. Twistlock can monitor and protect the containerized services within this microservices offering. The Twistlock Defender runs as a Docker container on Azure Service Fabric Ubuntu nodes and as a service running on Windows Server 2016 with Docker nodes. Later in this blog, we’ll also cover deploying and running Twistlock on ASF.

Additional offerings from Microsoft supported by Twistlock

Microsoft Azure provides a couple of additional related services for containers that Twistlock also supports. Azure Container Service (ACS) was the first solution designed to make it easier to deploy orchestrated sets of Azure VMs. Twistlock supported ACS from the start (see our post on the Azure Security team blog) and was a security launch partner for the companion registry, Azure Container Registry.

How to Deploy Twistlock in Azure Kubernetes Service

Deploying Twistlock within the Azure Kubernetes Service is similar to other Kubernetes cluster deployments. Twistlock Console requires a Persistent Volume for the database. Within the AKS Resource Group create a standard, managed and empty 100GB disk.

Note the created disk’s Name (diskName) and ResourceID (diskURI) and create a Persistent Volume.

pv.yaml

apiVersion: v1
kind: PersistentVolume
metadata:
name: twistlock-console
labels:
      app: twistlock-console
annotations:
      volume.beta.kubernetes.io/storage-class: default
spec:
capacity:
      storage: 100Gi
accessModes:
      – ReadWriteOnce
azureDisk:
      kind: Managed
      diskName: twistlock-console
      diskURI: /subscriptions//resourceGroups/MC_PfoxAKS_PFoxAKSCluster_eastus/providers/Microsoft.Compute/disks/twistlock-console
      cachingMode: ReadWrite
      fsType: ext4
      readOnly: false

Twistlock 2.3 installation uses the standalone twistcli application to generate the Twistlock Console deployment yaml file.

Provide the Persistent Volume’s label that was defined (app:twistlock-console) within the –presistent-volume-labels argument and “default” for the –storage-class argument.

/linux/twistcli console export –image-pull-secrets secretname –namespace twistlock –persistent-volume-labels app:twistlock-console –registry-address        yourregistry.azurecr.io –storage-class default

Then deploy the Twistlock Defender as a DaemonSet. The Twistlock Defenders running on all the AKS nodes will associate with the Twistlock Console.

All Twistlock features are supported within the Azure Kubernetes Service.

Twistlock in Azure Service Fabric

If you’re using Azure Service Fabric for running your containers, we recommend running the Twistlock Console on either a standalone Azure VM or within AKS, because these services provide more capabilities for data persistence than ASF. Once Console is running, deploying Defenders on Azure Service Fabric Windows Server 2016 with Docker is pretty simple:

  • Within the Twistlock Console go to Manage / Defenders / Deploy
  • Add your Twistlock Console’s FQDN to the Subject Alternative Name (2)
  • Select the FQDN name of your Twistlock Console (1.a)
  • Defender type = Docker on Windows (1.b)
  • Copy the generated Powershell script (1.d)

Logon to each Azure Service Fabric node or configure whatever automation tooling you use to manage the host OS to run the Defender install Powershell script as Administrator.

The Azure Service Fabric nodes’ Defenders will appear in Manage / Defenders / Manage.

The ASF nodes start with nt1vm* and AKS nodes appear as aks-node*. All Twistlock Defender functionality is supported on ASF Ubuntu nodes. For Windows containers running on Windows Server 2016 with Docker Twistlock provides vulnerability management, compliance, and runtime defense.

Start your Twistlock trial today by finding Twistlock in the Azure Marketplace.

Whether you chose either Azure Kubernetes Service, Azure Service Fabric, or both to run your microservices, Twistlock is ready to protect your containers in Azure. As the Windows container ecosystem grows Twistlock will be there to help secure your microservices.

← Back to All Posts Next Post →