1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Howto
    6. Deploy Defenders outside an OpenShift Cluster
    End-of-Life (EoL)

    Deploy Defenders outside an OpenShift Cluster

    This guide demonstrates how to deploy Prisma Cloud Defenders outside the OpenShift cluster where Prisma Cloud Console is running. You need to expose the Prisma Cloud-Console service’s TCP ports 8083 and 8084 as external OpenShift routes. Each route will be an unique, fully qualified domain name. In this example, you deploy Prisma Cloud Defenders as a DaemonSet in a second OpenShift cluster and to a Windows Server 2016 with Containers node. Prisma Cloud API calls are made to the Prisma Cloud-Console external OSE router https://console1.apps.jonathan.lab.twistlock.com The Prisma Cloud Defenders will communicate to the Console via wss://defenders.apps.jonathan.lab.twistlock.com:443
    Prerequisites:
    • The Prisma Cloud Console is fully operational, Prisma Cloud OpenShift Deployment guide
    • An existing OpenShift external route to the Prisma Cloud-Console’s TCP port 8083 (Prisma Cloud UI and API)

    OpenShift and Prisma Cloud Console configuration

    All commands are run from a system that is external to the OpenShift Cluster using the
    oc
     and
    twistcli
     commands.
    1. Log into the OpenShift Cluster running the Prisma Cloud Console.
    2. Go to
      Prisma Cloud Project > Applications > Routes
      .
    3. Create New Route.
      1. Name:
        twistlock-defender
        .
      2. Hostname:
        defenders.apps.jonathan.lab.twistlock.com
        .
      3. Target Port:
        8084 → 8084
        .
      4. Security:
        • TLS Termination:
          Passthrough
          .
        • Insecure Traffic:
          Redirect
          .
    4. Add the new route to the Prisma Cloud Console’s SubjectAlternativeName.
      1. In the Prisma Cloud Console go to
        Manage > Defenders > Names
        .
      2. Click
        Add SAN
        .
      3. Add the new route FQDN
        defenders.apps.jonathan.lab.twistlock.com
        .

    Deploy Prisma Cloud Defender Daemonset in Second OpenShift Cluster

    Using the twistcli tool generate the Prisma Cloud Defender defender.yaml file.
    1. Run the command:
      $ linux/twistcli defender export openshift \
  --address https://console1.apps.jonathan.lab.twistlock.com \
  --cluster-address defenders.apps.jonathan.lab.twistlock.com \
  --namespace twistlock \
  --selinux-enabled
    2. Edit the resulting
      defender.yaml
       and change:
        - name: WS_ADDRESS
            value: wss://defenders.apps.jonathan.lab.twistlock.com:8084
      to:
        - name: WS_ADDRESS
            value: wss://defenders.apps.jonathan.lab.twistlock.com:443
    3. oc login
       to the OpenShift Cluster you will be deploying the Prisma Cloud Defenders to.
    4. Create the Prisma Cloud Project
      oc new-project twistlock
      .
    5. Deploy the Twislock Defender daemonset
      oc create -f ./defender.yaml
      .
    6. The Defenders in the second OpenShift Cluster will appear in the Prisma Cloud Console’s
      Manage > Defenders > Manage
      .

    Deploy Prisma Cloud Defender on Windows Server 2016 w/ Containers Node

    Deploy Prisma Cloud Defender on a Windows Server 2016 node.
    1. Log into Prisma Cloud Console.
    2. Go to
      Manage > Defenders > Deploy
      .
      1. 1.a =
        console1.apps.jonathan.lab.twistlock.com
        .
      2. 1.b =
        Docker on Windows
        .
    3. Copy the powershell script that is generated in 1.c.
    4. Modify the following in the script:
      1. Remove “:8083” from the
        -Uri
        .
        -Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1"
      2. Change the
        -consoleCN
         to the twistlock-defender FQDN and add the
        -wsPort 443
         variable.
        -consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443
    5. The resulting script looks similar to the following:
      add-type "using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; }}"; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy; Invoke-WebRequest -Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1" -Headers @{"authorization" = "Bearer <token>" } -OutFile defender.ps1; .\defender.ps1 -type dockerWindows -consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443 -install
    6. On the Windows Server node, run the script in a Powershell x64 shell.
    7. The Windows Prisma Cloud Defender will appear in
      Manage > Defenders > Manage
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo