At Twistlock, we’re working with enterprises across almost every industry vertical to secure their containerized applications. With our most recent release, we’ve added powerful capabilities to ensure Twistlock scales to large environments while also providing the ability compartmentalize deployments for regulatory or operational reasons.
To begin my post, I’d like to recap the components involved in Twistlock. We ship the Twistlock product as containers with two images:
- Console is the user interface and the API server shown at the top of the diagram above.
- The Defender(s) are the points of enforcement. Defender runs on each of your hosts and carries out any policies that you set in Console. You can see Defenders at the bottom of the diagram above.
We rigorously test performance of our product and quite happily support 1,000 Defenders managed by a single Console. Those tests are real. We really have spun up over 1,000 hosts with Defenders on them and a container workload; the Console and Defenders operated as normal.
So, we capped that and published that we support 1,000 Defenders per Console.
Challenge #1: Scale
Some of our customers are operating at a scale that eclipses those numbers (how inconsiderate of them!). For example we have a customer with 70,000 Docker hosts all of which need to be protected by Twistlock.
We needed to come up with a way of scaling.
Challenge #2: Multi Tenancy
At the same time, we have customers with stringent compliance and data separation requirements. We’ve always had Role Based Access Control in Twistlock, but a set of customers needed an extremely segregated setup…a setup that still included overall governance!
We needed a way of having a Console for each of their business units and a Console that could collate everything and push policies for the entire estate.
To solve both of these, we’re introducing the Projects feature which brings infinite scale and multi tenancy to Twistlock!
The diagram above shows how both of these challenges are solved from an architecture standpoint:
- Tenant Projects
- On the bottom left, you can see projects which are tenants. They each can have up to 1,000 Defenders talking to them.
- They have their own policies and settings. For users, each of these are entirely separate from one another.
- The Central Console has visibility into each of these tenant projects.
- Scale Projects
- On the bottom right you can see the scale projects. Each of these can have up to 1,000 Defenders talking to them
- They inherit their policies and settings from the Central Console
- When it comes to ‘using’ these Consoles, they’re basically invisible. You would interact with the Central Console only.
- Central Console Defenders
- The eagle-eyed amongst you will see that the Central Console can also optionally have up to 1,000 Defenders talking directly to it.
If you’ve used Twistlock then you know how we like to keep everything intuitive. Simple and easy to set up, simple and easy to regress. Projects are exactly the same.
You deploy two Consoles and then login to the one you want to make the Central Console, allocate the other Console to it et voila! You’ve setup projects.
Do you already have separate Consoles and want to move to projects? Login to the one you want to make the Central Console (or deploy another one, your choice), allocate the other Consoles to it et voila! You’ve setup projects.
Want to undo it all? Login to your Central Console and hit the check box to put everything back to how it was.
If you’ve worked with Twistlock before then you know how this works…is this a separate product or some sort of add-on? Nope, all of this, like everything we do, is covered by your existing license. This isn’t some way of squeezing money from our customers. It’s just part of what we do — continually improving the product and making the improvements part of your subscription.
If infinite scale or multi tenancy sound like things you’d be interested in, or if you’re just intrigued to know more about Twistlock, then get in touch!
Related Twistlock 2.4 Posts:
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...
Why DevSecOps is No Longer Optional
DevSecOps has been a hot topic within tech conversations for a few yea...
Better Together: Announcing The Twistlock Advantage Program
It’s been about three years since we exited stealth with the first g...
My Security Toolset Today Vs 10 Years Ago
It can be easy to forget how sophisticated IT security tools are today...
How to crash the Linux Kernel with a CDROM interaction – CVE-2018-11506
I’ve recently discovered and reported a buffer overflow vulnerabilit...