End-of-Life (EoL)

Deploy Defenders outside an OpenShift Cluster

This guide demonstrates how to deploy Prisma Cloud Defenders outside the OpenShift cluster where Prisma Cloud Console is running. You need to expose the Prisma Cloud-Console service’s TCP ports 8083 and 8084 as external OpenShift routes. Each route will be an unique, fully qualified domain name. In this example, you deploy Prisma Cloud Defenders as a DaemonSet in a second OpenShift cluster and to a Windows Server 2016 with Containers node. Prisma Cloud API calls are made to the Prisma Cloud-Console external OSE router https://console1.apps.jonathan.lab.twistlock.com The Prisma Cloud Defenders will communicate to the Console via wss://defenders.apps.jonathan.lab.twistlock.com:443
  • The Prisma Cloud Console is fully operational, Prisma Cloud OpenShift Deployment guide
  • An existing OpenShift external route to the Prisma Cloud-Console’s TCP port 8083 (Prisma Cloud UI and API)

OpenShift and Prisma Cloud Console configuration

All commands are run from a system that is external to the OpenShift Cluster using the
  1. Log into the OpenShift Cluster running the Prisma Cloud Console.
  2. Go to
    Prisma Cloud Project > Applications > Routes
  3. Create New Route.
    1. Name:
    2. Hostname:
    3. Target Port:
      8084 → 8084
    4. Security:
      • TLS Termination:
      • Insecure Traffic:
  4. Add the new route to the Prisma Cloud Console’s SubjectAlternativeName.
    1. In the Prisma Cloud Console go to
      Manage > Defenders > Names
    2. Click
      Add SAN
    3. Add the new route FQDN

Deploy Prisma Cloud Defender Daemonset in Second OpenShift Cluster

Using the twistcli tool generate the Prisma Cloud Defender defender.yaml file.
  1. Run the command:
    $ linux/twistcli defender export openshift \ --address https://console1.apps.jonathan.lab.twistlock.com \ --cluster-address defenders.apps.jonathan.lab.twistlock.com \ --namespace twistlock \ --selinux-enabled
  2. Edit the resulting
    and change:
    - name: WS_ADDRESS value: wss://defenders.apps.jonathan.lab.twistlock.com:8084
    - name: WS_ADDRESS value: wss://defenders.apps.jonathan.lab.twistlock.com:443
  3. oc login
    to the OpenShift Cluster you will be deploying the Prisma Cloud Defenders to.
  4. Create the Prisma Cloud Project
    oc new-project twistlock
  5. Deploy the Twislock Defender daemonset
    oc create -f ./defender.yaml
  6. The Defenders in the second OpenShift Cluster will appear in the Prisma Cloud Console’s
    Manage > Defenders > Manage

Deploy Prisma Cloud Defender on Windows Server 2016 w/ Containers Node

Deploy Prisma Cloud Defender on a Windows Server 2016 node.
  1. Log into Prisma Cloud Console.
  2. Go to
    Manage > Defenders > Deploy
    1. 1.a =
    2. 1.b =
      Docker on Windows
  3. Copy the powershell script that is generated in 1.c.
  4. Modify the following in the script:
    1. Remove “:8083” from the
      -Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1"
    2. Change the
      to the twistlock-defender FQDN and add the
      -wsPort 443
      -consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443
  5. The resulting script looks similar to the following:
    add-type "using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; }}"; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy; Invoke-WebRequest -Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1" -Headers @{"authorization" = "Bearer <token>" } -OutFile defender.ps1; .\defender.ps1 -type dockerWindows -consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443 -install
  6. On the Windows Server node, run the script in a Powershell x64 shell.
  7. The Windows Prisma Cloud Defender will appear in
    Manage > Defenders > Manage

Recommended For You