This topic helps you install Prisma Cloud in your Kubernetes cluster quickly. There are many ways to install Prisma Cloud, but use this workflow to quickly deploy Defenders and verify how information is accessible from the Prisma Cloud Console. After completing this procedure, you can modify the installation to match your needs.
To better understand clusters, read our cluster context topic.
To deploy Prisma Cloud Defenders, you use the command-line utility called , which is bundled with the Prisma Cloud software. The process has the following steps to give you full control over the created objects.
  1. The twistcli utility generates YAML configuration files or Helm charts for the Defender.
  2. You create the required objects in your cluster with the kubectl create command.
You can inspect, customize, and manage the YAML configuration files or Helm charts before deploying the Prisma Cloud Console and Defender. You can place the files or charts under source control to track changes, to integrate them with Continuos Integration and Continuos Development (CI/CD) pipelines, and to enable effective collaboration.
Each Prisma Cloud Defender is deployed as a DaemonSet to ensure that a Prisma Cloud Defender instance runs on each worker node of your cluster.


To deploy your Defenders smoothly, you must meet the following requirements.
  • You have a valid Prisma Cloud license key and access token.
  • You provisioned a Kubernetes cluster that meets the minimum system requirements and runs a supported Kubernetes version.
  • You set up a Linux or macOS system to control your cluster, and you can access the cluster using the kubectl command-line utility.
  • The nodes in your cluster can reach Prisma Cloud’s cloud registry at registry-auth.twistlock.com.
  • Your cluster uses any of the following runtimes. For more information about the runtimes that Prisma Cloud supports, see the system requirements.
    • Docker Engine
    • CRI-O
    • CRI-containerd
  • Install the Prisma Cloud command-line utility called twistcli, which is bundled with the Prisma Cloud software. You use twistcli to deploy the Defenders.

Required Permissions

  • You can create and delete namespaces in your cluster.
  • You can run the kubectl create command.

Required Firewall and Port Configuration

Open the following ports in your firewall.
Ports for the
Prisma Cloud Defenders
  • Incoming: None
  • Outgoing: 443

Install the Prisma Cloud Command-Line Utility

To use Prisma Cloud as part of your Kubernetes deployment, you need the twistcli command-line utility and the Prisma Cloud Defenders.
  1. Use the twistcli command-line utility to deploy the Prisma Cloud Defenders in your Kubernetes cluster.
    The twistcli utility is included with every Prisma Cloud release.
  2. Ensure that your cluster configuration allows the Defenders to connect to the Prisma Cloud Console service. The Defenders connect to the Prisma Cloud Console service using a websocket over port 443 to retrieve policies and send data.

Install the Prisma Cloud Defender

To install the Prisma Cloud Defender, deploy the Defenders as DaemonSet custom resources. This approach ensures that a Defender instance runs on every node in the cluster. To deploy the Prisma Cloud Defender, use a macOS or Linux cluster controller with kubectl enabled and follow these steps:
  1. Use the twistcli command-line utility to generate the DaemonSet YAML configuration file for the Defender.
  2. Deploy the generated custom resource with kubectl.
This approach is called declarative object management. It allows you to work directly with the YAML configuration files. The benefit is that you get the full source code for the custom resources you create in your cluster, and you can use a version control tool to manage and track modifications. With YAML configuration files under version control, you can delete and reliably recreate DaemonSets in your environment.
If you don’t have kubectl access to your cluster, you can deploy Defender DaemonSets directly from the Console UI.
This procedure shows you how to deploy Defender DaemonSets using the twistcli command-line utility and declarative object management. You can also generate the installation commands using the Prisma Cloud Console UI under
Manage > Defenders > Deploy > Defenders
. Installation scripts are provided for Linux and MacOS workstations. Use the twistcli command-line utility to generate the Defender DaemonSet YAML configuration files from Windows workstations. Deploy the custom resources with kubectl following this procedure.
    1. Sign into Prisma Cloud.
    2. Go to
      Compute > Manage > System > Utilities
    3. Copy the URL under
      Path to Console
  1. Retrieve the hostname of the Prisma Cloud Console hostname to use as the value for PRISMA_CLOUD_COMPUTE_HOSTNAME.
    The hostname can be derived from the URL by removing the protocol scheme and path. It is simply the host part of the URL. You can also retrieve the hostname directly.
  2. Generate the DaemonSet custom resource for the Defender.
    1. Go to
      Compute > Manage > Defenders > Deploy > Defenders
    2. Select
    3. Select
      Step 2: Choose the orchestrator type
    4. Copy the hostname from
      Step 3: The name that Defender will use to connect to this Console
  3. Generate the defender.yaml file using the following twistcli command with the described parameters.
    $ <PLATFORM>/twistcli defender export kubernetes \ --user <ADMIN_USER> \ --address <PRISMA_CLOUD_COMPUTE_CONSOLE_URL> \ --cluster-address <PRISMA_CLOUD_COMPUTE_HOSTNAME> --cri
    • <PLATFORM> can be linux, osx, or windows.
    • <ADMIN_USER> is the name of a Prisma Cloud user with the System Admin role.
    • <PRISMA_CLOUD_COMPUTE_CONSOLE_URL> specifies the address of the Prisma Cloud Compute Console.
    • <PRISMA_CLOUD_COMPUTE_HOSTNAME> specifies the address Defender uses to connect to Prisma Cloud Console. You can use the external IP address exposed by your load balancer or the DNS name that you manually set up.
      • For provider managed clusters, Prisma Cloud automatically gets the cluster name from your cloud provider.
      • To override the cluster name used that your cloud provider has, use the --cluster option.
      • For self-managed clusters, such as those built with kops, manually specify a cluster name with the