Twistlock supports Helm through twistcli (19.03+), this repository remains available to assist customers who may wish to work with an older version of Twistlock or create their own charts, but should be considered deprecated.
Helm chart for installing Twistlock Console into Kubernetes with script for installing Twistlock Defender daemonset
Just clone this repository and install from the charts, we don't make Twistlock charts available from the Helm package repository as our product is commercial.
You will need Helm installed (both the Helm client locally and the Tiller server component) on your Kubernetes cluster.
You will need to configure your Kubenetes cluster firewall rules to allow ingress traffic on port 8081 for HTTP and 8083 for HTTPS browser access. Port 8084 is utilized for Defender to Console WSS communications within your cluster.
You will need the access token that comes with your Twistlock subscription; look for this in an e-mail from Twistlock support.
You will need a local installation of the kubectl command that has been configured for the management of the target Kubernetes cluster.
You will need the access token and the license that was provided to you by the Twistlock account team.
First, copy the file twistlock-console/valuesTemplate.yaml to twistlock-console/values.yaml.
Next, edit twistlock-console/values.yaml, adding in the appropriate values for the version, imageTag, imageName, and accessToken parameters.
Note: the Twistlock release should be formatted with underscores as the version separator in the imageTag parameter (19_03_307), and periods for the version parameter (19_03_307).
There are several parameters in charts/twistlock-console/charts/console/values.yaml that should be reviewed for correctness in the target environment:
- serviceType: can be one of LoadBalancer, or NodePort. (default: LoadBalancer)
- persistentVolumeSize: a 10Gi PV will suffice for a very small POC deployment. For a deployment of any signifigance, a PV of 50Gi or higher should be used. (default: 50Gi)
- httpPort, httpsPort, commPort: these parameters define the Console service ports. Although they can be changed, it is recommended to retain the defaults for operational simplicity. (default: 8081, 8083, and 8084)
Run the following helm command to install the Console:
$ helm install twistlock-console -n twistlock-console --namespace=twistlock
-n twistlock-console: set the release name to twistlock-console--namespace=twistlock: install into the twistlock namespace
The Console address can be found in the External IP field in the output of the following command:
$ kubectl get service -n twistlock
Open a browser to https://<CONSOLE_ADDRESS>:8083, enter in a username and password to create an initial administrator account, then enter your license into the provided text box.
Note: Port 8083 is the default HTTPS port for the Console. If you changed it in values.yml, please replace 8083 with the appropriate value.
Although this Helm chart is limited to the installation of the Twistlock Console only, we have provided a shell script to help automate the installation of the Defender daemonset.
The script install_defender_ds.sh should be executed after the Console is running and the license has been installed.
The script accepts a single argument that should match the httpsPort of the Console (default: 8083).
$ ./install_defender_ds.sh 8083
For more information, see the documentation covering the installation of Defenders under Kubernetes.
First, remove the Defender daemonset by running:
$ kubectl delete -f defender_ds.yaml
Then, remove the Twistlock Console and namespace:
$ helm delete ./twistlock-console --purge
$ kubectl delete ns twistlock
New users can find details on getting started with some of Twistlock's key features in the following articles: