Google Kubernetes Engine (GKE) Autopilot

You can now install the Prisma Cloud DaemonSet Defender on your GKE
cluster. GKE Autopilot clusters are using
nodes, therefore the DaemonSet must be configured with
CRI runtime
. Defenders deployed on GKE Autopilot clusters only support the official twistlock registry. You can’t use a custom registry.
  1. Review the prerequisites and the procedure in the
    Google Kubernetes Engine (GKE)
    and the
    Install Prisma Cloud on a CRI (non-Docker) cluster
  2. Use the following twistcli command to generate the YAML file for the GKE Autopilot deployment.
    $ <PLATFORM>/twistcli defender export kubernetes \ --gke-autopilot \ --cri \ --cluster-address <console address> \ --address https://<console address>:443
    The --gke autopilot flag adds the ' "true"’ annotation to the YAML file and `--cri flag enables the CRI option for nodes that use the Container Runtime Interface (CRI), not Docker. It also removes the '/var/lib/containers' mount from the generated file as that configuration is not required for the GKE autopilot deployment.
    If you are using the web interface, on
    Manage > Defenders > Deploy > Defenders
    ensure that the
    orchestrator type
    , and that the
    Nodes use Container Runtime Interface (CRI), not Docker
    GKE Autopilot deployment
    are set to be
  3. Create the
    namespace on your cluster by running the following command:
    $ kubectl create namespace twistlock
  4. Deploy the updated YAML or the Helm chart on your GKE Autopilot cluster.
  5. Verify that the Defenders are deployed.
    After a few minutes you should observe the nodes and running containers in Console, with Prisma Cloud Compute now protecting your cluster.