Document:Prisma Cloud Administrator’s Guide (Compute)

Google Kubernetes Engine (GKE) Autopilot

Filter

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Cluster Context
- Deploy Prisma Cloud Defenders
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Upgrade the Single Container Defenders
- Upgrade Defender DaemonSets
- Upgrade Defender DaemonSets (Helm)
Agentless Scanning
- Agentless Scanning Modes
- Onboard Accounts for Agentless Scanning
- Agentless Scanning Results
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials Store
Cloud Service Providers
- Cloud discovery
- Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
- Prisma Cloud vulnerability feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
- Registry scanning
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploy WAAS
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API Discovery
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Sensitive Data
Firewalls
- Cloud Native Network Segmentation (CNNS)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan Images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

Google Kubernetes Engine (GKE) Autopilot

You can now install the Prisma Cloud DaemonSet Defender on your GKE Autopilot
cluster. GKE Autopilot clusters are using cos_containerd
nodes, therefore the DaemonSet must be configured with CRI runtime
. Defenders deployed on GKE Autopilot clusters only support the official twistlock registry. You can’t use a custom registry.

Review the prerequisites and the procedure in the Google Kubernetes Engine (GKE)
and the Install Prisma Cloud on a CRI (non-Docker) cluster
sections.

Use the following twistcli command to generate the YAML file for the GKE Autopilot deployment.

   $ <PLATFORM>/twistcli defender export kubernetes \
    --gke-autopilot \
    --cri \
    --cluster-address <console address> \
    --address https://<console address>:443

The --gke autopilot flag adds the 'autopilot.gke.io/no-connect: "true"’ annotation to the YAML file and `--cri flag enables the CRI option for nodes that use the Container Runtime Interface (CRI), not Docker. It also removes the '/var/lib/containers' mount from the generated file as that configuration is not required for the GKE autopilot deployment.

If you are using the web interface, on Manage > Defenders > Deploy > Defenders
ensure that the orchestrator type
is Kubernetes
, and that the Nodes use Container Runtime Interface (CRI), not Docker
and GKE Autopilot deployment
are set to be On
.

Create the twistlock
namespace on your cluster by running the following command:

$ kubectl create namespace twistlock

Deploy the updated YAML or the Helm chart on your GKE Autopilot cluster.

Verify that the Defenders are deployed.

After a few minutes you should observe the nodes and running containers in Console, with Prisma Cloud Compute now protecting your cluster.

Document:Prisma Cloud Administrator’s Guide (Compute)

Google Kubernetes Engine (GKE) Autopilot

Table of Contents

Google Kubernetes Engine (GKE) Autopilot

Most Popular