1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Install
    6. Deploy Prisma Cloud Defenders
    7. Kubernetes
    8. Deploy Defender with Declarative Object Management

    Deploy Defender with Declarative Object Management

    Defender is installed as a DaemonSet, which ensures that an instance of Defender runs on every node in the cluster. Use twistcli to generate a YAML configuration file or Helm chart for the Defender DaemonSet, then deploy it using oc. You can use the same method to deploy Defender DaemonSets from both macOS and Linux.
    The benefit of declarative object management, where you work directly with YAML configuration files, is that you get the full "source code" for the objects you create in your cluster. You can use a version control tool to manage and track modifications to config files so that you can delete and reliably recreate DaemonSets in your environment.
    If you don’t have kubectl access to your cluster (or oc access for OpenShift), you can deploy Defender DaemonSets directly from the Console UI.
    The following procedure shows you how to deploy Defender DaemonSets with twistcli using declarative object management. Alternatively, you can generate Defender DaemonSet install commands in the Console UI under
    Manage > Defenders > Deploy > DaemonSet
    . Install scripts work on Linux hosts only. For macOS and Windows hosts, use twistcli to generate Defender DaemonSet YAML configuration files, and then deploy it with oc, as described in the following procedure.

    Get connection strings

    When calling twistcli to generate your YAML files and Helm charts, you’ll need to specify a couple of addresses.
    1. Retrieve Console’s URL (PRISMA_CLOUD_COMPUTE_CONSOLE_URL).
      1. Sign into Prisma Cloud.
      2. Go to
        Compute > Manage > System > Utilities
        .
      3. Copy the URL under
        Path to Console
        .
    2. Retrieve Console’s hostname (PRISMA_CLOUD_COMPUTE_HOSTNAME).
      The hostname can be derived from the URL by removing the protocol scheme and path. It is simply the host part of the URL. You can also retrieve the hostname directly.
      1. Go to
        Compute > Manage > Defenders > Deploy > Defenders > Orchestrator
      2. Select
        OpenShift
         from
        Step 2
         (
        Choose the orchestrator type
        )
      3. Copy the hostname from
        Step 3
         (
        The name that Defender will use to connect to this Console
        )

    Option #1: Deploy with YAML files

    Deploy the Defender DaemonSet with YAML files.
    The twistcli defender export command can be used to generate native Kubernetes YAML files to deploy the Defender as a DaemonSet.
    1. Generate a defender.yaml file, where:
      The following command connects to Console (specified in --address) as user <ADMIN> (specified in --user), and generates a Defender DaemonSet YAML config file according to the configuration options passed to twistcli. The --cluster-address option specifies the address Defender uses to connect to Console.
      $ <PLATFORM>/twistcli defender export openshift \
  --user <ADMIN_USER> \
  --address <PRISMA_CLOUD_COMPUTE_CONSOLE_URL> \
  --cluster-address <PRISMA_CLOUD_COMPUTE_HOSTNAME> \
  --cri
      • <PLATFORM> can be linux, osx, or windows.
      • <ADMIN_USER> is the name of a Prisma Cloud user with the System Admin role.
    2. Deploy the Defender DaemonSet.
      $ oc create -f ./defender.yaml

    Option #2: Deploy with Helm chart

    Deploy the Defender DaemonSet with a Helm chart.
    Prisma Cloud Defenders Helm charts fail to install on OpenShift 4 clusters due to a Helm bug. If you generate a Helm chart, and try to install it in an OpenShift 4 cluster, you’ll get the following error:
    Error: unable to recognize "": no matches for kind "SecurityContextConstraints" in version "v1"
    To work around the issue, manually modify the generated Helm chart.
    1. Generate the Defender DaemonSet helm chart.
      A number of command variations are provided. Use them as a basis for constructing your own working command.
      The following commands connects to Console (specified in --address) as user <ADMIN> (specified in --user), and generates a Defender DaemonSet YAML config file according to the configuration options passed to twistcli. The --cluster-address option specifies the address Defender uses to connect to Console.
      Outside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.
       Use the OpenShift external route for your Prisma Cloud Console, --address https://twistlock-console.apps.ose.example.com. Designate Prisma Cloud’s cloud registry by omitting the --image-name flag. Defining CRI-O as the default container engine by using the -cri flag.
      $ <PLATFORM>/twistcli defender export openshift \
  --user <ADMIN_USER> \
  --address <PRISMA_CLOUD_COMPUTE_CONSOLE_URL> \
  --cluster-address <PRISMA_CLOUD_COMPUTE_HOSTNAME> \
  --cri \
  --helm
      Outside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.
       Use the --image-name flag to designate an image from the OpenShift internal registry. Defining CRI-O as the default container engine by using the -cri flag.
      $ <PLATFORM>/twistcli defender export openshift \
  --user <ADMIN_USER> \
  --address <PRISMA_CLOUD_COMPUTE_CONSOLE_URL> \
  --cluster-address <PRISMA_CLOUD_COMPUTE_HOSTNAME> \
  --image-name 172.30.163.181:5000/twistlock/private:defender_<VERSION> \
  --cri \
  --helm
      Inside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.
       When generating the Defender DaemonSet YAML with twistcli from a node inside the cluster, use Console’s service name (twistlock-console) or cluster IP in the --cluster-address flag. This flag specifies the endpoint for the Prisma Cloud Compute API and must include the port number. Defining CRI-O as the default container engine by using the -cri flag.
      $ <PLATFORM>/twistcli defender export openshift \
  --user <ADMIN_USER> \
  --address <PRISMA_CLOUD_COMPUTE_CONSOLE_URL> \
  --cluster-address <PRISMA_CLOUD_COMPUTE_HOSTNAME> \
  --cri \
  --helm
      Inside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.
       Use the --image-name flag to designate an image in the OpenShift internal registry. Defining CRI-O as the default container engine by using the -cri flag.
      $ <PLATFORM>/twistcli defender export openshift \
  --user <ADMIN_USER> \
  --address <PRISMA_CLOUD_COMPUTE_CONSOLE_URL> \
  --cluster-address <PRISMA_CLOUD_COMPUTE_HOSTNAME> \
  --image-name 172.30.163.181:5000/twistlock/private:defender_<VERSION> \
  --cri \
  --helm
    2. Unpack the chart into a temporary directory.
      $ mkdir helm-defender
$ tar xvzf twistlock-defender-helm.tar.gz -C helm-defender/
    4. {{- if .Values.openshift }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: twistlock-console
...
    5. Repack the Helm chart
      $ cd helm-defender/
$ tar cvzf twistlock-defender-helm.tar.gz twistlock-defender/
    6. Install the new helm chart via the helm command
      $ helm install --namespace=twistlock -g twistlock-defender-helm.tar.gz

    Confirm Defenders were deployed

    Confirm the installation was successful.
    1. In Prisma Cloud Console, go to
      Compute > Manage > Defenders > Manage
       to see a list of deployed Defenders.
    2. In the OpenShift Web Console, go to the Prisma Cloud project’s monitoring window to see which pods are running.