Google Kubernetes Engine (GKE) Autopilot
You can now install the Prisma Cloud DaemonSet Defender on your GKE
Autopilot
cluster.
GKE Autopilot clusters are using cos_containerd
nodes, therefore the DaemonSet must be configured with CRI runtime
.
Defenders deployed on GKE Autopilot clusters only support the official twistlock registry. You can’t use a custom registry.- Review the prerequisites and the procedure in theGoogle Kubernetes Engine (GKE)and theInstall Prisma Cloud on a CRI (non-Docker) clustersections.
- Use the following twistcli command to generate the YAML file for the GKE Autopilot deployment.$ <PLATFORM>/twistcli defender export kubernetes \ --gke-autopilot \ --cri \ --cluster-address <console address> \ --address https://<console address>:443The --gke autopilot flag adds the 'autopilot.gke.io/no-connect: "true"’ annotation to the YAML file and `--cri flag enables the CRI option for nodes that use the Container Runtime Interface (CRI), not Docker. It also removes the '/var/lib/containers' mount from the generated file as that configuration is not required for the GKE autopilot deployment.If you are using the web interface, onManage > Defenders > Deploy > Defendersensure that theorchestrator typeisKubernetes, and that theNodes use Container Runtime Interface (CRI), not DockerandGKE Autopilot deploymentare set to beOn.Create thetwistlocknamespace on your cluster by running the following command:$ kubectl create namespace twistlockDeploy the updated YAML or the Helm chart on your GKE Autopilot cluster.Verify that the Defenders are deployed.After a few minutes you should observe the nodes and running containers in Console, with Prisma Cloud Compute now protecting your cluster.