Advanced Access Control
Extend your access control policies to Docker & Kubernetes
Twistlock’s Access Control solution allows you to define and enforce fine-grained policies governing user access to Docker and Kubernetes resources. Extend existing policies or define net-new–our access control layer is both flexible and powerful to handle most of the enterprise use cases.
LDAP/AD integration Twistlock provides out-of-box integration with enterprise identity directories like Active Directory or other forms of LDAP directories, so you can specify access policies to container resources without having to create identities and groups outside your central directories. This integration is key to extending the organization’s access control logic to new system assets like Docker.
Flexible RBAC policies We support a flexible yet powerful policy framework that governs user access to individual functions/APIs of Docker and Kubernetes. A user can be an individual or a group, and resources can be a single API or a group of APIs. We also support exceptions to a policy in addition to inclusions, as well as the capability of specifying the number of containers for which the policy applies.
Advanced rules engine Twistlock’s access control rules engine supports a variety of advanced scenarios such as ensuring a policy is only applied to the containers created by a particular user, constraining the number of containers a policy applies to, blocking access to device paths, as well as location-based policies.
Seamless proxy with Kerberos integration Docker uses Kerberos authentication between a Docker client and the daemon. Twistlock provides out-of-box integration with Kerberos authorization workflows, allowing us to be inserted as a proxy to Docker daemon without changing either the client or the daemon code.
Access Control At A Glance
Access control policy framework:
- Who: user or groups
- API resources: run, list, exec, create, kill, inspect, …
- Control actions: Allow, Deny
- Other dimensions (sample list):
- Scope: number of containers to which this policy applies
- Ownership: rules applied to the containers a user owns
- Location: rules based on client locations
“We are delighted with Twistlock’s ability to enable access control policies to our Kubernetes cluster. Their integration with AD allowed us to tie in authentication rules with existing AD groups and extend our existing policies to these new resources”