Skip to content

To upgrade the Twistlock Package📜

Twistlock is a BB created/maintained chart. As such there are typically no/minimal chart changes required for updates outside of a few select pieces listed below.

Updating Grafana Dashboards📜

The dashboards are pulled from here via Kptfile. Typically you should run kpt pkg update chart/dashboards --strategy force-delete-replace to pull in the latest dashboards. Check if dashboards have changed before running this step, as of early 2024, they have not had any modifications in the last 2 years.

Update dependencies📜

Twistlock only uses a Gluon dependency. Validate it is on the latest version in chart/Chart.yaml then run helm dependency update chart.

Update scripts/policies📜

The main thing that might break across updates is the initialization script process. This requires a lot of manual checking/testing and modification of the scripts under chart/scripts or the JSON data under chart/policies depending on issues that you encounter.

It is helpful to debug this in a few ways: - Log requests that are sent to the API by adding echo commands or other basic debug around the area of the script that failed. It can be especially helpful to log things inside of callapi(). - Utilize the development tools/console in a browser to intercept requests and make the same configuration manually. Then conpare the data sent via browser to what is set up in chart/policies. - Validate that API changes have not occured - https://pan.dev/compute/api/

Modifications made to upstream📜

chart/dashboards/

  • pull down the new dashboards
    kpt pkg get https://github.com/PaloAltoNetworks/pcs-metrics-monitoring/grafana/dashboards/Prisma-Cloud-Dashboards dashboards
    
  • cd into this directory and run the following commands to update the dashboards’ logic:
    sed -i 's/job=\\"twistlock\\"/job=\\"twistlock-console\\"/g' $(find . -type f | grep .json) && \
    sed -i 's/grafana-piechart-panel/piechart/g' $(find . -type f | grep .json)
    

We also add the value of twistlock to the tags key in all dashboard json files from:

for example:

"tags": [],
to:
"tags": [
      "twistlock"
    ],
…which allows a user to filter by the twistlock tag in Grafana to locate these particular dashboards more easily.

chart/scripts - added script to add DNS SANs - modified script to call - modified script to add TWISTLOCK_DEFENDER_PODLABELS and TWISTLOCK_DEFENDER_RESOURCES to templates - modified to add TWISTLOCK_DEFENDER_PODLABELS and TWISTLOCK_DEFENDER_RESOURCES - modified to add in TWISTLOCK_ISTIO_URL (external Istio virtual service Twistlock endpoint)

chart/templates - modified to add app and version labels to defender

Testing new Twistlock Version📜

  • Configure SSO, add an SSO user with P1 SSO login, add “basic” user, set admin password to “admin”, and point to correct dockerset in overrides value file. The below values are an example, you will need to request the development license from someone on the team.
twistlock:
  enabled: true
  sso:
    enabled: true
    client_id: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-twistlock"
  values:
    console:
      license: "license_here"
      credentials:
        password: "admin"
      additionalUsers:
        - username: micah.nagel
          authType: saml
          role: admin
        - username: foo
          authType: basic
          password: bar
          role: admin
    defender:
      dockerSocket: "/run/k3s/containerd/containderd.sock"
      selinux: false
      # Keep as false (default value) so that Kyverno policy, disallow-privileged-containers, does not block
      # Currently unclear if any defender functionality is lost, access to the service account token appears to be denied
      privileged: false
  • Validate that the Twistlock init job pod ran and completed, this should do all setup (license/user) and the required defender updates automatically (Pod is automatically removed after 30 minutes)

  • Login to twistlock/prisma cloud with the default credentials (if above values are used, admin/admin)

  • Under Manage -> Defenders -> Manage, make sure # of defenders online is equal to number of nodes on the cluster

    Defenders will scale with the number of nodes in the cluster. If there is a defender that is offline, check whether the node exists in cluster anymore. Cluster autoscaler will often scale up/down nodes which can result in defenders spinning up and getting torn down. As long as the number of defenders online is equal to the number of nodes everything is working as expected.

  • Ensure integration tests are passing by following thetest-package-against-bb doc and modify test-values with the following settings:

    twistlock:
      enabled: true
      git:
        tag: null
        branch: my-package-branch-that-needs-testing
      sso:
        enabled: true
        client_id: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-twistlock"
      values:
        console:
          license: "license_here"
          credentials:
            password: "admin"
          additionalUsers:
            - username: micah.nagel
              authType: saml
              role: admin
            - username: foo
              authType: basic
              password: bar
              role: admin
        defender:
          dockerSocket: "/run/k3s/containerd/containderd.sock"
          selinux: false
          # Keep as false (default value) so that Kyverno policy, disallow-privileged-containers, does not block
          # Currently unclear if any defender functionality is lost, access to the service account token appears to be denied
          privileged: false
        istio:
          hardened:
            enabled: true
    

automountServiceAccountToken📜

The mutating Kyverno policy named update-automountserviceaccounttokens is leveraged to harden all ServiceAccounts in this package with automountServiceAccountToken: false. This policy is configured by namespace in the Big Bang umbrella chart repository at chart/templates/kyverno-policies/values.yaml.

This policy revokes access to the K8s API for Pods utilizing said ServiceAccounts. If a Pod truly requires access to the K8s API (for app functionality), the Pod is added to the pods: array of the same mutating policy. This grants the Pod access to the API, and creates a Kyverno PolicyException to prevent an alert.

Twistlock Accounts Group Documentation📜

You can use Account Groups to combine access to multiple cloud accounts with similar or different applications that span multiple divisions or business units, so that you can manage administrative access to these accounts from Prisma Cloud.

When you onboard a cloud account to Prisma Cloud, you can assign the cloud account to one or more account groups, and then assign the account group to Prisma Cloud Administrator Roles. Assigning an account group to an administrative user on Prisma Cloud allows you to restrict access only to the resources and data that pertain to the cloud account(s) within an account group. Alerts on Prisma Cloud are applied at the cloud account group level, which means you can set up separate alert rules and notification flows for different cloud environments. In addition, you can also create nested account groups which provides you more flexibility in mapping out your internal hierarchy.

Twistlock supports group based authentication. Each group can be assigned one of the following roles:

Role Access Level
Administrator
Operator
Defender Manager
Auditor
DevOps User
Access User
CI User

How to set arguments in values.yaml?📜

Following arguments are used in values.yaml file. Please set the values as per your need.

  1. group: ""
  -- name fof the group (required)

  2. role: ""
  -- Role based permissions for the user (required).  Valid values include 'admin', 'operator', 'cloudAccountManager', 'auditor', 'devSecOps', 'vulnerabilityManager', 'devOps', 'defenderManager', 'user', and 'ci'.  See https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/authentication/user_roles

  3. authType: ""
  -- Auth type for the groups  Valid values include 'ldapGroup', 'samlGroup', 'oauthGroup', or 'oidcGroup'. authType must already be configured as an identity provider in Twistlock a SSO groups are hidden until the associated authType is configured

Testing Twistlock Groups Version📜

  • The below values are an example, you will need to request the development license from someone on the team.
twistlock:
  enabled: true
  sso:
    enabled: true
    client_id: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-twistlock"
  values:
    console:
      license: "license_here"
      credentials:
        password: "admin"
      groups:
        - group: test
          authType: oidcGroup
          role: admin
    defender:
      dockerSocket: "/run/k3s/containerd/containderd.sock"
      selinux: false
      privileged: true