Prisma Cloud Compute Edition Administrator’s Guide
    : Deploy App-Embedded Defender in Google Cloud Run (GCR)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Install
    6. Deploy Prisma Cloud Defenders
    7. Deploy App-Embedded Defender
    8. Deploy App-Embedded Defender in Google Cloud Run (GCR)
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Deploy App-Embedded Defender in Google Cloud Run (GCR)

    Table of Contents

    Deploy App-Embedded Defender in Google Cloud Run (GCR)

    Deploy an App-Embedded Defender in GCR to provide runtime protection to App-Embedded applications installed in GCR.
    The App-Embedded Defender enforces runtime policy on the application entrypoint and any child processes created by this entrypoint. To learn when to use App-Embedded Defenders, see Defender types.
    To learn more about App-Embedded Defender’s capabilities, see:

    System Requirements

    • GCR supports Linux (X86) containers
    • Any Docker image with Prisma Cloud App-Embedded Defender binary
    • Google Cloud Registry (recommended)

    Prerequisites

    • You can connect to GCR and DockerHub
    Configure GCP to authenticate Prisma Cloud
    • Sign in to your Google Cloud account.
    • Log in to Google Cloud Registry.
    • In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
      • Set "private" visibility for your GCP container registry host under
        GCP project > Home > Container Registry > Settings
        .
    • Configure GCloud authentication using any of the following options:
      • Authenticate using GCP user credentials:
        $ gcloud auth login ### Type the User GCP credentials
$ cat ~/.docker/config.json  ### Check that GCP has gcloud users configured
      • Authenticate using GCP Service Account:
        $ gcloud auth activate-service-account ACCOUNT --key-file=KEY-FILE
### KEY-FILE is the Service Account key file under *GCP > Service Accounts > Actions > Manage keys*
    Configure Docker for GCP in your localhost
    $ gcloud auth configure-docker
$ cat ~/.docker/config.json.  ### check that GCP has gcloud users configured

    Configure App-Embedded Defender in Prisma Console UI

    Prisma Console provides you with an App-Embedded Defender bundle that contains the Dockerfile with App-Embedded configurations and the Defender installation binary file.
    You can select one of the
    Deployment types
    : Dockerfile or Manual.
    • Dockerfile
      : Creates a new Dockerfile based on your Dockerfile and embeds the App-Embedded parameters.
    • Manual
      : Select the manual method to customize the required Dockerfile parameters in the Console UI and directly download the App-Embedded Defender binary file.

    Embed App-Embedded Defender with Dockerfile

    Upload your Dockerfile and Prisma Cloud creates a new Dockerfile with App-Embedded Defender parameters and the Defender binary file.
    1. Log in to Prisma Cloud Console.
    2. Go to
      Manage > Defenders > Deployed Defenders > Manual deploy
      .
    3. In Deployment method, select
      Single Defender
      .
    4. Select the Defender type as
      Container Defender - App-Embedded
      .
    5. Select the DNS name configured in
      Manage > Defenders > Names (SAN)
       or public IP address that Defender will use to connect to Prisma Console.
    6. Enable file system runtime protection
       to allow the sensors to monitor file system events regardless of how your runtime policy is configured, and could impact the underlying workload’s performance.
    7. Select Deployment type as
      Dockerfile
      .
      1. In
        App ID
        , enter a unique identifier for the App-Embedded Defender. All vulnerability, compliance, and runtime findings for the container will be aggregated under this App ID. In Console, the App ID is presented as the image name. Be sure to specify an App ID that lets you easily trace findings back to the image.
      2. In
        Data folder
        , enter the path that the Defender will use to write files and store information.
      3. Dockerfile
        : Upload the Dockerfile for your container image. Set up the task’s entrypoint in the Dockerfile. The embed process modifies the container’s entrypoint to run the App-Embedded Defender first, which in turn starts the original entrypoint process. The Defender starts defending the app from the entrypoint and the thread/child process created by this entrypoint.
    8. Download
       the App-embedded bundle that contains the Dockerfile with Defender deployment configurations appended to your Dockerfile and the App-Embedded Defender binary file.
    9. Rebuild the image and embed the Defender in GCR.

    Embed App-Embedded Defender Manually

    Embed App-Embedded Defender into a container image manually. Modify your Dockerfile with the given configurations, download the App-Embedded Defender binaries into the image’s build context, then rebuild the image.
    Prerequisites
    • At runtime, the container where you’re embedding App-Embedded Defender can reach Console over the network. For Enterprise Edition, Defender talks to Console on port 443. For Compute Edition, Defender talks to Console on port 8084.
    • The host where you are rebuilding your container image with App-Embedded Defender can reach Console over the network on port 8083.
    • You have the Dockerfile for your image.
    1. Log in to Prisma Cloud Console.
    2. Go to
      Manage > Defenders > Deployed Defenders > Manual deploy
      .
    3. In Deployment method, select
      Single Defender
      .
    4. Select the Defender type as
      Container Defender - App-Embedded
      .
    5. Select the DNS name (configured in
      Manage > Defenders > Names (SAN)
       or public IP address that Defender will use to connect to Prisma Console.
    6. Enable file system runtime protection
       to allow the sensors to monitor file system events regardless of how your runtime policy is configured, and could impact the underlying workload’s performance.
    7. Select
      Deployment type
       as
      Manual
      Follow the instructions for embedding App-Embedded Defender into your image.
      1. Download the App-Embedded bundle using the command or download the file directly.
      2. Configure your Dockerfile and set the following environment variables:
        DEFENDER_TYPE="appEmbedded"
ENV DEFENDER_APP_ID="Unique identifier for the App-Embedded Defender in Prisma Cloud Console"
FILESYSTEM_MONITORING="true/false"
WS_ADDRESS="Websocket address the Defender is communicating to"
DATA_FOLDER="The path that Defender uses to store its metadata"
INSTALL_BUNDLE="The access key for the Prisma Console, copy this from the Console"
FIPS_ENABLED="true/false"
ENTRYPOINT="Modify the entrypoint for the app to start the app under the control of App-Embedded Defender"
      3. Add the App-Embedded Defender to Dockerfile.
        ADD twistlock_defender_app_embedded.tar.gz <DATA_FOLDER>
      4. Modify the entrypoint so that your app starts under the control of App-Embedded Defender.
      5. Rebuild your image and embed the Defender in Cloud instance.

    Embed App-Embedded Defender in GCR

    Prisma Cloud uses the updated Dockerfile to deploy the Defender in your containers running in GCR. Use the updated Dockerfile to build the image for App-Embedded Defender, push it to Google Container Registry, and then run the Google Container instance.
    Prerequisite
    :
    1. Log in to Docker
      docker login
    2. Copy the App-Embedded zipped bundle and unzip it to get the Dockerfile and App-Embedded Defender binary.
    3. Build the Dockerfile:
      docker build -t <GCP_Container_Registry>:<docker_images_name>  <local_path_host_dockerfile>
      If your Dockerfile is in the current directory, use
      .
       for <local_path_host-Dockerfile>
    4. Push the docker image to GCR
      :
      docker push HOSTNAME/PROJECT-ID/IMAGE:TAG
      1. Verify the docker image exists in your
        GCP project > Container Registry > Images
         under your relevant repository.
    5. Deploy Docker image in Google Cloud Run using Google Console
      :
      1. Select your
        Container Registry > Images
        , and select
        Actions > Deploy to Cloud Run
        .
      2. Enter a
        Service name
         or select the default value.
      3. Set the
        CPU allocation and pricing
         to
        CPU is always allocated
        .
      4. Select the
        Ingress
         traffic to allow
        All
         requests, including requests directly from the internet to the
        run
        .
    6. In the
      Container, Networking, Security
       section, enter the
      Container port
       as 8080.
    7. Select
      CREATE
      .
    8. Go to
      Cloud Run
       and verify the Docker Container service running in GCP.
      This App-Embedded Defender running in GCR is now recognized in Prisma Console under
      Manage > Defenders > Deployed Defenders
      .

    Embed App-Embedded Defender with twistcli

    Use the twistcli command line tool to embed an App-Embedded Defender in your Cloud Container Registries.
    Prerequisites
    :
    • Running tasks can connect to Prisma Cloud Console over the network.
    • Prisma Cloud Defender connects to Console to retrieve runtime policies and send audits.
    • Defender uses port 8084 to connect to the Prisma Cloud Console by default. You can configure the port number when you install the Prisma Cloud Console.
    • The container where you’re embedding App-Embedded Defender can reach Console’s port 8084 over the network.
    • You have Dockerfile for you image.
    • Cloud CLI, such as Azure CLI, or Google Cloud CLI.
    1. Log in to Prisma Cloud Console.
    2. Download twistcli
      1. Go to
        Manage > System > Utilities
        , and download twistcli for your platform.
    3. Run twistcli to embed Defender in your Cloud Registry (such as Azure, or Google Run).
      A file named app_embedded_embed<app_id>.zip_ is created, that has the Dockerfile for App-Embedded Defender and App-Embedded Defender binary file.
      $ ./twistcli app-embedded embed \
   --user <USER> \
   --password <PASSWORD> \
   --address "<CONSOLE_URL>" \
   --app-id <APP-ID name> \
   --data-folder /tmp \
   <Docker-file-path-location>
      • <user> — Name of a Prisma Cloud user with a minimum role of Defender Manager.
      • <password> — For Prisma Cloud Enterprise Edition, you can also specify the secret key that you configured under
        Prisma > Settings > Access Control > Access Keys
        .
      • <token> — API Token for authenticating with Prisma Cloud Console. (For Enterprise Edition only)
      • <CONSOLE> — DNS name or IP address for Console.
      • <APP-ID> — Unique identifier.
        When setting <APP-ID>, specify a value that lets you easily trace findings back to the image. All vulnerability, compliance, and runtime findings for the container will be aggregated under this App ID.
        In Console, the App ID is presented as the image name.
      • <DATA-FOLDER> — Readable and writable directory in the container’s filesystem.
      • To enable file system protection, add the --filesystem-monitoring flag to the twistcli command.
    5. Create and push the docker image to GCR
      1. Authenticate using GCP credentials:
        $ gcloud auth login
      2. Or, Authenticate using GCP Service Account key (KEY-FILE): (Get the KEY-FILE from
        GCP > Service Accounts > Actions > Manage keys
        )
        $ gcloud auth activate-service-account ACCOUNT --key-file=KEY-FILE
      3. Configure Docker for GCP in your localhost
        $ glcoud auth configure-docker
      4. Build the Dockerfile
        $ docker build -t <GCP_Container_Registry>:<docker_images_name>  <local_path_host_dockerfile>
$ docker images ### Verify the image built
      5. Push the image to GCR
        $ docker push HOSTNAME/PROJECT-ID/IMAGE:TAG
      6. Check the image exists in GCR repo under
        GCP project > Container Registry > Images
      7. Deploy Docker image in Google Cloud Run using gcloud
        $ gcloud run deploy [SERVICE] \
--image <IMAGE_URL> \
--service-account <SERVICE_ACCOUNT> \
--no-cpu-throttling \
--platform managed \
--ingress <all> \
--port <port-exposed-in-dockerfile> \
--region <REGION> \
--project <PROJECT_NAME>
        If there is no port exposed in Dockerfile, GCP Cloud Run will use 8080 port as the default.

    Delete a Container Instance

    $ az container delete -g <MyContainerGroup> --name <Container-name> -y

    Trigger Events for App-Embedded

    To trigger the App Server logs, get the GCP URL from GCP Docker Container service.
    $ curl -k -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" <app_emb_gcp_URL>/runsee -d $(echo 'ldd --help'|base64)

    Monitor App-Embedded Events

    You can view the App-Embedded runtime events by app ID under
    Monitor > Events > App-Embedded audits
    , and view the App-Embedded incidents under
    Monitor > Runtime > Incident Explorer
    .
    You can also deploy WAAS for Containers Protected By App-Embedded Defender, create a WAAS rule policy, add an app, enable protections, run WAAS sanity tests, and monitor the events under
    Monitor > Events > WAAS for App-Embedded
    .

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.