This technical deep dive highlights key capabilities released as part of Twistlock 18.11. To learn more about what’s included with Twistlock 18.11, check out our full release blog post.
Istio is the rising star of service meshes, providing flexible controls for defining & applying microsegmentation policies to applications. Complexity often follows flexibility, though.
Twistlock 18.11 introduces new tools for visualizing and validating Istio configurations as part of your overall deployment, letting you see how your policies apply to deployed containers and letting you check that you’ve deployed Istio in line with best practice.
Service mesh visualization
Twistlock already includes best-in-class learning and visualization of container traffic. In 18.11, we extend this to include Istio policies. For example, using Istio’s Bookinfo sample application:
This view shows us all of the configured policies for containers deployed in the application. We can see the microservices that make up the application (productpage, details, reviews, and ratings). Additionally, we can see the three different versions of the reviews service that are deployed. Finally, in this view, we can see the policies allowing communication between the micro-services and we can see that the examples-bookinfo-productspage-v1 service receives traffic from the outside world.
If we dig deeper into the microservices, we can see the Istio service roles assigned to them as well. For example, if we look at the productpage:
We can see the details of the underlying ServiceRole, including the applicable services, methods, and paths, visualized for us.
apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRole metadata: name: details-reviews-viewer namespace: default spec: rules: - services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"] methods: ["GET"]
This allows your security audiences to quickly inspect and understand how Istio is being used at-a-glance rather than having to dive through all of the assorted and distributed configuration YAMLs in use.
Compliance checks for Istio
Twistlock 18.11 includes a full set of Istio compliance benchmarks, allowing you to test your existing deployment against recommended practice and audit for configuration drift against these benchmarks.
With these benchmarks configured, you can see if you’re in compliance; for example, in my Bookinfo deployment, I can see that I could do a better job of configuring TLS with Destination Rules:
Combining Twistlock with Istio enables you to combine Istio’s policy-based micro-segmentation with Twistlock’s learning-based runtime defenses to provide defense-in-depth for your deployed applications.
To learn more about Istio, check out our CTO John Morello’s talk from KubeCon 2018: Is Istio the Most Next Gen, Next Gen Firewall Ever?
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
What Integrated Security Really Means — and Why It MattersRead the Blog
A DevOps Approach to Compliance: What It Really Takes to Build Compliant AppsRead the Blog
CISOs: 5 Essential Features in a Cloud Native Security PlatformRead the Blog
Making CI/CD Fast and SecureRead the Blog
Leveraging Webhooks for Security Alerts with TwistlockRead the Blog