Deploy Defenders outside an OpenShift Cluster

This guide demonstrates how to deploy Prisma Cloud Defenders outside the OpenShift cluster where Prisma Cloud Console is running. You need to expose the Prisma Cloud-Console service’s TCP ports 8083 and 8084 as external OpenShift routes. Each route will be an unique, fully qualified domain name. In this example, you deploy Prisma Cloud Defenders as a DaemonSet in a second OpenShift cluster and to a Windows Server 2016 with Containers node. Prisma Cloud API calls are made to the Prisma Cloud-Console external OSE router https://console1.apps.jonathan.lab.twistlock.com The Prisma Cloud Defenders will communicate to the Console via wss://defenders.apps.jonathan.lab.twistlock.com:443
Prerequisites:

OpenShift and Prisma Cloud Console configuration

All commands are run from a system that is external to the OpenShift Cluster using the
oc
and
twistcli
commands.
  1. Log into the OpenShift Cluster running the Prisma Cloud Console.
  2. Go to
    Prisma Cloud Project > Applications > Routes
    .
  3. Create New Route.
    1. Name:
      twistlock-defender
      .
    2. Hostname:
      defenders.apps.jonathan.lab.twistlock.com
      .
    3. Target Port:
      8084 → 8084
      .
    4. Security:
      • TLS Termination:
        Passthrough
        .
      • Insecure Traffic:
        Redirect
        .
  4. Add the new route to the Prisma Cloud Console’s SubjectAlternativeName.
    1. In the Prisma Cloud Console go to
      Manage > Defenders > Names
      .
    2. Click
      Add SAN
      .
    3. Add the new route FQDN
      defenders.apps.jonathan.lab.twistlock.com
      .

Deploy Prisma Cloud Defender Daemonset in Second OpenShift Cluster

Using the twistcli tool generate the Prisma Cloud Defender
defender.yaml
file.
  1. Run the command:
    $ linux/twistcli defender export openshift \ --address https://console1.apps.jonathan.lab.twistlock.com \ --cluster-address defenders.apps.jonathan.lab.twistlock.com \ --namespace twistlock \ --selinux-enabled
  2. Edit the resulting
    defender.yaml
    and change:
    - name: WS_ADDRESS value: wss://defenders.apps.jonathan.lab.twistlock.com:8084
    to:
    - name: WS_ADDRESS value: wss://defenders.apps.jonathan.lab.twistlock.com:443
  3. oc login
    to the OpenShift Cluster you will be deploying the Prisma Cloud Defenders to.
  4. Create the Prisma Cloud Project
    oc new-project twistlock
    .
  5. Deploy the Twislock Defender daemonset
    oc create -f ./defender.yaml
    .
  6. The Defenders in the second OpenShift Cluster will appear in the Prisma Cloud Console’s
    Manage > Defenders > Manage
    .

Deploy Prisma Cloud Defender on Windows Server 2016 w/ Containers Node

Deploy Prisma Cloud Defender on a Windows Server 2016 node.
  1. Log into Prisma Cloud Console.
  2. Go to
    Manage > Defenders > Deploy
    .
    1. 1.a =
      console1.apps.jonathan.lab.twistlock.com
      .
    2. 1.b =
      Docker on Windows
      .
  3. Copy the powershell script that is generated in 1.c.
  4. Modify the following in the script:
    1. Remove “:8083” from the
      -Uri
      .
      -Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1"
    2. Change the
      -consoleCN
      to the twistlock-defender FQDN and add the
      -wsPort 443
      variable.
      -consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443
  5. The resulting script looks similar to the following:
    add-type "using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; }}"; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy; Invoke-WebRequest -Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1" -Headers @{"authorization" = "Bearer <token>" } -OutFile defender.ps1; .\defender.ps1 -type dockerWindows -consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443 -install
  6. On the Windows Server node, run the script in a Powershell x64 shell.
  7. The Windows Prisma Cloud Defender will appear in
    Manage > Defenders > Manage
    .

Recommended For You