This technical deep dive highlights key capabilities released as part of Twistlock 18.11. To learn more about what’s included with Twistlock 18.11, check out our full release blog post.

Istio is the rising star of service meshes, providing flexible controls for defining & applying microsegmentation policies to applications. Complexity often follows flexibility, though.

Twistlock 18.11 introduces new tools for visualizing and validating Istio configurations as part of your overall deployment, letting you see how your policies apply to deployed containers and letting you check that you’ve deployed Istio in line with best practice.

Service mesh visualization

Twistlock already includes best-in-class learning and visualization of container traffic. In 18.11, we extend this to include Istio policies. For example, using Istio’s Bookinfo sample application:

This view shows us all of the configured policies for containers deployed in the application. We can see the microservices that make up the application (productpage, details, reviews, and ratings). Additionally, we can see the three different versions of the reviews service that are deployed. Finally, in this view, we can see the policies allowing communication between the micro-services and we can see that the examples-bookinfo-productspage-v1 service receives traffic from the outside world.

If we dig deeper into the microservices, we can see the Istio service roles assigned to them as well. For example, if we look at the productpage:


We can see the details of the underlying ServiceRole, including the applicable services, methods, and paths, visualized for us.

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
  name: details-reviews-viewer
  namespace: default
spec:
  rules:
  - services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"]
    methods: ["GET"]

This allows your security audiences to quickly inspect and understand how Istio is being used at-a-glance rather than having to dive through all of the assorted and distributed configuration YAMLs in use.

Compliance checks for Istio

Twistlock 18.11 includes a full set of Istio compliance benchmarks, allowing you to test your existing deployment against recommended practice and audit for configuration drift against these benchmarks.

With these benchmarks configured, you can see if you’re in compliance; for example, in my Bookinfo deployment, I can see that I could do a better job of configuring TLS with Destination Rules:

Summary

Combining Twistlock with Istio enables you to combine Istio’s policy-based micro-segmentation with Twistlock’s learning-based runtime defenses to provide defense-in-depth for your deployed applications.

Learn more about Istio

To learn more about Istio, check out our CTO John Morello’s talk from KubeCon 2018: Is Istio the Most Next Gen, Next Gen Firewall Ever?

Or watch this video conversation from the Cloud Native Security Podcast with Twistlock Director of Evangelism Sonya Koptyev and Solutions Architect Neil Carpenter.

← Back to All Posts Next Post →