End-of-Life (EoL)


Upgrade Prisma Cloud running in your Kubernetes cluster.

Upgrading Console

Since Prisma Cloud objects can be specified with configuration files, we recommend declarative object management for both install and upgrade.
You should have kept good notes when initially installing Prisma Cloud. The configuration options set in twistlock.cfg and the parameters passed to twistcli in the initial install are used to generate working configurations for the upgrade.
You know how you initially installed Prisma Cloud, including all options set in twistcli.cfg and parameters passed to twistcli.
  1. Download the latest Prisma Cloud release to the host where you manage your cluster with kubectl.
  2. If you customized twistlock.cfg, port those changes forward to twistlock.cfg in the latest release. Otherwise, proceed to the next step.
  3. Generate new YAML configuration file for the latest version of Prisma Cloud. Pass the same options to twistcli as you did in the original install. The following example command generates a YAML configuration file for the default basic install.
    $ <PLATFORM>/twistcli console export kubernetes --service-type LoadBalancer
  4. If you’re upgrading from 19.03, then you must first delete the old ReplicationController. Starting with 19.07, Prisma Cloud Console is managed by a Deployment controller.
    This is a one time step only. After upgrading to 19.07, you no longer need to manually delete the ReplicationContoller when upgrading to newer versions of Prisma Cloud.
    $ kubectl delete rc twistlock-console -n twistlock
  5. Update the Prisma Cloud objects.
    $ kubectl apply -f twistlock_console.yaml
    You can now upgrade your Defender DaemonSet.

Upgrade Defender DaemonSets with twistcli

Delete the Defender DaemonSet, then rerun the original install procedure.
You know all the parameters passed to twistcli when you initially deployed the Defender DaemonSet. You’ll need them to recreate a working configuration file for your environment.
  1. Delete the Defender DaemonSet.
    $ kubectl -n twistlock delete ds twistlock-defender-ds $ kubectl -n twistlock delete sa twistlock-service $ kubectl -n twistlock delete secret twistlock-secrets
  2. Determine the Console service’s external IP address.
    $ kubectl get service -o wide -n twistlock
  3. Generate a defender.yaml file. Pass the same options to twistcli as you did in the original install. The following example command generates a YAML configuration file for the default install.
    The following command connects to Console’s API (specified in --address) as user <ADMIN> (specified in --user), and retrieves a Defender DaemonSet YAML config file according to the configuration options passed to twistcli. In this command, there is just a single mandatory configuration option. The --cluster_address option specifies the address Defender uses to connect to Console, and the value is encoded in the DaemonSet YAML file.
    $ <PLATFORM>/twistcli defender export kubernetes \ --address https://yourconsole.example.com:8083 \ --user <ADMIN_USER> \ --cluster-address twistlock-console
    • <PLATFORM> can be linux or osx.
    • <ADMIN_USER> is the name of an admin user.
  4. Deploy the Defender DaemonSet.
    $ kubectl create -f defender.yaml
  5. In Prisma Cloud, go to
    Manage > Defenders > Manage > DaemonSets
    to see a list of deployed Defenders.

Upgrade Defender DaemonSets from Console

Upgrade the DaemonSet Defenders directly from the Console UI.
If you can’t access your cluster with kubectl, then you can upgrade Defender DaemonSets directly from the Console UI.
You’ve created a kubeconfig credential for your cluster so that Prisma Cloud can access it to upgrade the Defender DaemonSet.
  1. Log into Prisma Cloud Console.
  2. Go to
    Manage > Defenders > Manage
  3. Click
  4. For each cluster in the table, click
    Actions > Upgrade
    The table shows a count of deployed Defenders and their new version number.

Recommended For You