Google Kubernetes Engine (GKE) Autopilot

You can now install the Prisma Cloud DaemonSet Defender on your GKE
Autopilot
cluster. GKE Autopilot clusters are using
cos_containerd
nodes, therefore the DaemonSet must be configured with
CRI runtime
. Defenders deployed on GKE Autopilot clusters only support the official twistlock registry. You can’t use a custom registry.
  1. Review the prerequisites and the procedure in the
    Google Kubernetes Engine (GKE)
    and the
    Install Prisma Cloud on a CRI (non-Docker) cluster
    sections.
  2. Use the following twistcli command to generate the YAML file for the GKE Autopilot deployment.
    $ <PLATFORM>/twistcli defender export kubernetes \ --gke-autopilot \ --cri \ --cluster-address <console address> \ --address https://<console address>:443
    The --gke autopilot flag adds the 'autopilot.gke.io/no-connect: "true"’ annotation to the YAML file and `--cri flag enables the CRI option for nodes that use the Container Runtime Interface (CRI), not Docker. It also removes the '/var/lib/containers' mount from the generated file as that configuration is not required for the GKE autopilot deployment.
    If you are using the web interface, on
    Manage > Defenders > Deploy > Defenders
    ensure that the
    orchestrator type
    is
    Kubernetes
    , and that the
    Nodes use Container Runtime Interface (CRI), not Docker
    and
    GKE Autopilot deployment
    are set to be
    On
    .
  3. Create the
    twistlock
    namespace on your cluster by running the following command:
    $ kubectl create namespace twistlock
  4. Deploy the updated YAML or the Helm chart on your GKE Autopilot cluster.
  5. Verify that the Defenders are deployed.
    After a few minutes you should observe the nodes and running containers in Console, with Prisma Cloud Compute now protecting your cluster.