Install Container Defender in a cluster

Container orchestrators provide native capabilities for deploying agents, such as Defender, to every node in the cluster. Prisma Cloud leverages these capabilities to install Defender.
The process for deploying Container Defender to a cluster can be found in the dedicated orchestrator-specific install guides.
If you wish to automate the defenders deployment process to a cluster, or you don’t have kubectl access to your cluster (or oc access for OpenShift), you can deploy Defender DaemonSets directly from the Console UI.
This Defender install flow doesn’t let you manually configure a cluster name. Cluster names let you segment your views of the environment. For most cases, this shouldn’t be a problem because if you’re deploying to a managed cluster, then Prisma Cloud retrieves the cluster name directly from the cloud provider. If you must manually specify a name, deploy your Defenders from
Manage > Defenders > Deploy > DaemonSet
or use twistcli.

Deploy Defender DaemonSet using kubeconfig

  • You’ve created a kubeconfig credential for your cluster so that Prisma Cloud can access it to deploy the Defender DaemonSet.
Deployment process:
  1. Log into Prisma Cloud Console.
  2. Go to
    Manage > Defenders > Manage
  3. Click
  4. For each cluster in the table, click
    Actions > Deploy
    The table shows a count of deployed Defenders and their version number.

Deploy Defender DaemonSet for GKE

  • You have a GKE cluster deployed
  • You’ve created a corresponding Service Account key in JSON format. The Service Account should have the following permissions:
    • Editor
    • Compute Storage Admin
    • Kubernetes Engine Admin
    • Service Account Token Creator
  • You’ve created a