Automated deployment
The following is an example of Infrastructure as Code (IaC) for the automated deployment of a Console and Defenders within a Kubernetes cluster using an Ansible playbook.
This requires a docker host, Prisma Cloud Compute license and kubectl administrative access to the Kubernetes cluster.
The Ansible playbook must run on a host that is able to route to the Console service’s ClusterIP address to perform the required API calls to configure the Console.
Use of this Ansible playbook does not imply any rights to Palo Alto Networks products and/or services.
Requirements
This sample IaC deployment runs on a unix based host with the following requirements:
- kubectl access to Kubernetes cluster with permissions to deploy Prisma Cloud Compute
- Ability to pull images from registry-auth.twistlock.com
- K8s-Console-Defender-deployment-ansible.yaml Ansible playbook
Process
Ansible playbook
Pull the Ansible playbook from here.
Update the variables in the vars: section in K8s-Console-Defender-deployment-ansible.yaml.
- twistlock_registry_token: <license_token>
- twistlock_license: <license>
- twistlock_install_version: <version_to_deploy, e.g. "21_04_421">
- user: <first_admin_username>
- password: <first_admin_password>
- storage_class: <k8s_storage_class_for_dynamic_persistent_volume>
- namespace: <namespace>
Execution
On the unix host, sudo to root and run the command
ansible-playbook K8s-Console-Defender-deployment-ansible.yaml
The supporting files will be written to the /root/twistlock directory.
Post execution
Once the playbook has successfully completed, establish communications to the twistlock-console service’s management-port-https port (default 8083/TCP) using a Kubernetes LoadBalancer or your organization’s approved cluster ingress technology.