End-of-Life (EoL)
System requirements
Before installing Prisma Cloud, verify that your environment meets the minimum requirements.
For information about when Prisma Cloud adds and drops support for third party software, see our support lifecycle page.
Hardware
Metal
: Prisma Cloud has the following hardware requirements:- Console —
- When up to 1,000 Defenders are connected, Console requires 4 vCPUs, 8GB of RAM, and 100GB of persistent storage.
- When 1,001 - 10,000 Defenders are connected, Console requires 8 vCPUs, 30GB of RAM, and 500GB of persistent storage.
- Defender — 256MB of RAM and 8GB of host storage.Defender uses cgroups to cap resource usage at 512MB of RAM and 900 CPU shares; typical load is ~1-5% CPU and 30-70MB RAMDefenders are designed to be portable containers that collect data. Any data that must be persisted is sent to to Console for storage. Defenders themselves do not require persistent storage. Do not deploy persistent storage for Defenders because it can corrupt Defender files.
- Defenders providing registry scanning-- 2GB of RAM, 20GB of storage, and 2 CPU cores.
- CI integration (Jenkins, twistcli) — Required storage space depends on the size of the scanned images. The required disk space is 1.5 times the size of the largest image to be scanned, per executor. For example, if you have a Jenkins instance with two executors, and your largest container image is 500MB, then you need at least 1.5GB of storage space (500MB * 1.5 * 2).
VMs
: Prisma Cloud has been tested on the following hypervisors:- Microsoft Hyper-V
- VirtualBox
- VMware
Cloud
: Prisma Cloud can run on nearly any cloud IaaS platform. Prisma Cloud has been tested on the following services:- Amazon Web Services
- Google Compute Engine
- IBM Cloud
- Microsoft Azure
- Oracle Cloud
File systems
If you’re deploying Prisma Cloud Console to AWS and you’re using the EFS file system, the following minimum performance characteristics are required:
- Performance mode:General purpose
- Throughput mode:Provisioned. Provision 0.1 MiB/s per deployed Defender. For example, if you plan to deploy 10 Defenders, provision 1 MiB/s of throughput.
Host operating systems
Prisma Cloud is supported on the following host operating systems:
Distro | Version |
|---|---|
Amazon Bottlerocket | Latest release Vulnerability and compliance blocking policies are not supported on Bottlerocket |
Amazon Linux 2 | Latest LTS release v2 |
CentOS | CentOS 7, CentOS 8 |
Debian | Debian 9 (Stretch), Debian 10 (Buster) |
GCOOS | Container-Optimized OS on Google Cloud latest GCOOS is purposefully minimalistic.
It doesn’t support installing new packages or writing new bins. Hence, Prisma Cloud’s vulnerability detection on GCOOS only covers Docker and Kubernetes package binary detection. |
Red Hat | Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux CoreOS (RHCOS) versions included in supported OpenShift releases |
Ubuntu | Ubuntu Server 20.04 LTS, 18.04 LTS, 16.04 LTS |
Windows | Windows Server 2016, Windows Server 2019 The Console container must be run on a supported Linux operating system.
Defender is supported on Windows Server 2016 (vulnerability and compliance scanning), and Windows Server 2019 (vulnerability scanning, compliance scanning, and runtime defense for containers). |
VMware | Photon OS 3.0 latest release |
Kernel capabilities
Prisma Cloud Defender requires the following kernel capabilities.
More info about each capability can be found on the Linux capabilities man page.
When running on a Docker host, Prisma Cloud Defender uses the following files/folder on the host:
- /var/run/docker.sock — Required for accessing Docker runtime.
- /var/lib/twistlock — Required for storing Prisma Cloud data.
- /dev/log — Required for writing to syslog.
Docker Engine
Prisma Cloud provides support only for the versions of Docker Engine that Docker itself supports. Prisma Cloud supports the following and later versions. Only official mainstream Docker releases are supported.
- CE 19.03, 18.09
- EE 19.03, 18.03
For storage drivers, overlay2, overlay, and devicemapper are supported.
For more information, please refer to Docker’s guide to selecting a storage driver.
The versions of Docker Engine listed in this section apply to versions independently installed on a host.
These versions might not be the same as the versions shipped as a part of an orchestrator, such as Red Hat OpenShift.
In such cases, Prisma Cloud supports the version of Docker Engine that ships with any Prisma Cloud-supported version of the orchestrator.
OCI runtimes
Prisma Cloud supports the following container runtimes:
Container runtime | Version |
|---|---|
Docker | See the Docker section |
Native Kubernetes 1.19 (containerd 1.3.7) GKE 1.16 (containerd 1.2.8) GKE 1.17 (containerd 1.3.2) | |
OS 4.4 - CRIO version 1.17.5 OS 4.5 - CRIO version 1.18.3 OS 4.6 - CRIO version 1.19.0 |
Podman
Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux. The twistcli tool can use the preinstalled Podman binary to scan CRI images.
The following version of Podman is supported:
- Podman 2.0.4
Orchestrators
Prisma Cloud is supported on the following orchestrators.
We support the following versions of official mainline vendor/project releases.
Orchestrator | Version |
|---|---|
Docker Swarm | CE 19.03 & 18.06, EE 19.03 & 18.03 |
Kubernetes | Native Kubernetes 1.18 (Docker) Native Kubernetes 1.19 (containerd 1.3.7) GKE 1.17 (Docker and containerd 1.3.2) GKE 1.16 (containerd 1.2.8) Includes managed solutions that are CNCF Certified Kubernetes conformant. |
OpenShift | 3.11 (Docker version only), 4.5, 4.6, 4.7 |
VMware Tanzu Application Service - TAS | v2.9, v2.10 |
ECS | Latest Amazon Linux 2, Latest ECS engine |
EKS | 1.17.12 |
AKS | 1.18.10, 1.19 |
Istio
Prisma Cloud supports Istio 1.6-1.8.
(Tested on 1.6.10, 1.7.5, 1.8.0)
Jenkins
Prisma Cloud provides a Jenkins plugin that scans images for vulnerabilities after they are built.
The Prisma Cloud plugin supports the following Jenkins versions:
- 2.190, 2.204 and 2.222 (these versions support Podman <2)
- 2.235 (this version doesn’t support Podman)
Image base layers
Prisma Cloud can protect containers built on nearly any base layer operating system.
Comprehensive Common Vulnerabilities and Exposures (CVE) data is provided for the following base layers:
- Alpine
- Amazon Linux 2
- BusyBox
- CentOS
- Debian
- Red Hat Enterprise Linux
- SuSE (SLES15SP1 LTSS, SLES15SP1, SLES12SP5, SLES12SP4, SLES12SP3, SLES11SP4)
- Ubuntu (LTS releases only)
- Windows Server
Serverless runtimes
Prisma Cloud can protect AWS Lambda functions at runtime. Prisma Cloud supports the following runtimes:
Serverless runtimes using Lambda Layers (including auto-protect)
- Node.js 10.x
- Python 2.7, 3.6, and 3.7
Serverless runtimes using manually embedded Defenders
- C# (.NET Core) 2.1, 3.1
- Java 8, 11
- Node.js 10.x, 12.x
- Python 2.7, 3.6, 3.7 and 3.8
Prisma Cloud can also scan serverless functions for vulnerabilities and compliance benchmarks. Prisma Cloud supports the following runtimes for vulnerability and compliance scans in AWS Lambda, Google Cloud Functions, and Azure Functions:
Serverless vulnerability and compliance scanning
- C# (.NET Core 2.1, .NET Core 3.1)
- Java 8, Java 11
- Node.js 10.x
- Python 2.7, 3.6, 3.7 and 3.8
Shells
For Linux, Prisma Cloud depends on the Bash shell.
For Windows, Prisma Cloud depends on PowerShell.
The shell environment variable DOCKER_CONTENT_TRUST should be set to 0 or unset before running any commands that interact with the Prisma Cloud cloud registry, such as Defender installs or upgrades.
Browsers
Prisma Cloud supports the latest versions of Chrome, Safari, and Edge.
For Microsoft Edge, we only support the new Chromium-based version (80.0.361 and later).