Advanced Access Control

Extend your access control policies to Docker & Kubernetes

Twistlock’s Access Control solution allows you to define and enforce fine-grained policies governing user access to Docker and Kubernetes resources. Extend existing policies or define net-new–our access control layer is both flexible and powerful to handle most of the enterprise use cases.

Docker & Kubernetes Access Control LDAP/AD integration Twistlock provides out-of-box integration with enterprise identity directories like Active Directory or other forms of LDAP directories, so you can specify access policies to container resources without having to create identities and groups outside your central directories. This integration is key to extending the organization’s access control logic to new system assets like Docker.

1446732656_developer-api-coding-screen Flexible RBAC policies We support a flexible yet powerful policy framework that governs user access to individual functions/APIs of Docker and Kubernetes. A user can be an individual or a group, and resources can be a single API or a group of APIs. We also support exceptions to a policy in addition to inclusions, as well as the capability of specifying the number of containers for which the policy applies.

1446763564_window-api-coding-configuration Advanced rules engine Twistlock’s access control rules engine supports a variety of advanced scenarios such as ensuring a policy is only applied to the containers created by a particular user, constraining the number of containers a policy applies to, blocking access to device paths, as well as location-based policies.

Seamless proxy with Kerberos integration Seamless proxy with Kerberos integration  Docker uses Kerberos authentication between a Docker client and the daemon. Twistlock provides out-of-box integration with Kerberos authorization workflows, allowing us to be inserted as a proxy to Docker daemon without changing either the client or the daemon code.

1446731632_grid-layout-window User access audit trails Twistlock provides detailed user access audit trails, including identities, action types, services requested, management actions (e.g., allow, deny), and timestamps. You can exporting the entire audit trail to external logging and forensics devices.

Access Control At A Glance

Access control policy framework

Access control policy framework:

  • Who: user or groups
  • API resources: run, list, exec, create, kill, inspect, …
  • Control actions: Allow, Deny
  • Other dimensions (sample list):
    • Scope: number of containers to which this policy applies
    • Ownership: rules applied to the containers a user owns
    • Location: rules based on client locations

We are delighted with Twistlock’s ability to enable access control policies to our Kubernetes cluster. Their integration with AD allowed us to tie in authentication rules with existing AD groups and extend our existing policies to these new resources” 

Director, IT operations, A large medical research organization

Want to learn more?

Get datasheet

Get Twistlock Today

Sign up for a free trial