Twistlock provides out-of-box integration with enterprise identity directories like Active Directory, OpenLDAP, and SAML providers, so you can specify access policies to container resources without having to create identities and groups outside your central directories. This integration is key to extending your organization’s access control logic to new system assets like Docker.
We support a flexible yet powerful policy framework that governs user access to individual functions/APIs of Docker and Kubernetes. A user can be an individual or a group, and resources can be a single API or a group of APIs. Apply rules to resources based on flexible pattern matching of image, container, and host names, as well as Docker labels.
Twistlock access control rules engine supports a variety of advanced scenarios such as ensuring a policy is only applied to the containers created by a particular user, constraining the number of containers a policy applies to, blocking access to device paths, as well as location-based policies.
Provide powerful multi-factor authentication controls for your environment with built in support for certificate based authentication in access control flows. Use standard x.509 certificates in both software stores and smart cards to authenticate to the Twistlock Console and to run commands with the Docker client. Native support for CAC and PIV certificate formats, support for authenticating accounts in Active Directory, and certificate pinning allows you to extend strong authentication into your cloud native environment.
Many organizations already use Kerberos authentication with existing systems like Active Directory. Twistlock makes it easy to integrate Kerberos realms with your container environment and use Kerberos tickets to authenticate Docker commands.
Twistlock provides detailed user access audit trails, including identities, action types, services requested, management actions (e.g., allow, deny), and timestamps. You can export the entire audit trail to external logging and forensics tools.