Google Kubernetes Engine (GKE) Autopilot
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
- Deploy Defender with Declarative Object Management
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Configure Agentless Scanning for AWS
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Malware Scanning
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Google Kubernetes Engine (GKE) Autopilot
You can now install the Prisma Cloud DaemonSet Defender on your GKE
Autopilot
cluster.
GKE Autopilot clusters are using cos_containerd
nodes, therefore the DaemonSet must be configured with CRI runtime
.
Defenders deployed on GKE Autopilot clusters only support the official twistlock registry. You can’t use a custom registry.- Review the prerequisites and the procedure in theGoogle Kubernetes Engine (GKE)and theInstall Prisma Cloud on a CRI (non-Docker) clustersections.
- Use the following twistcli command to generate the YAML file for the GKE Autopilot deployment.$ <PLATFORM>/twistcli defender export kubernetes \ --gke-autopilot \ --container-runtime crio \ --cluster-address <console address> \ --address https://<console address>:443The --gke autopilot flag adds the 'autopilot.gke.io/no-connect: "true"’ annotation to the YAML file and `--container-runtime crio flag enables the CRI option for nodes that use the Container Runtime Interface (CRI), not Docker. It also removes the '/var/lib/containers' mount from the generated file as that configuration is not required for the GKE autopilot deployment.If you are using the web interface, onManage > Defenders > Defenders: Deployed > Manual deployensure that theorchestrator typeisKubernetes, select theContainer Runtime typeasCRI-O, and enableGKE Autopilot deployment.Create thetwistlocknamespace on your cluster by running the following command:$ kubectl create namespace twistlockDeploy the updated YAML or the Helm chart on your GKE Autopilot cluster.Verify that the Defenders are deployed.After a few minutes you should observe the nodes and running containers in Console, with Prisma Cloud Compute now protecting your cluster.