Deploy Defender on OpenShift v4
Prisma Cloud Defenders are deployed as a DaemonSet, which ensures that an instance of Defender runs on every node in the cluster. You can run Defenders on OpenShift master and infrastructure nodes by removing the taint from them.
The Prisma Cloud Defender container images can be stored either in the internal OpenShift registry or your own Docker v2 compliant registry. This guide shows you how to generate deployment YAML files for Defenders, and then deploy them to your OpenShift cluster with the oc client.
To better understand clusters, read our cluster context topic.
To ensure that your installation on supported versions of OpenShift v4.x goes smoothly, work through the following checklist and validate that all requirements are met.
Minimum system requirements
Validate that the components in your environment (nodes, host operating systems, orchestrator) meet the specs in System requirements.
Validate that you have permission to:
- Push to a private docker registry. For most OpenShift setups, the registry runs inside the cluster as a service. You must be able to authenticate with your registry with docker login.
- Pull images from your registry. This might require the creation of a docker-registry secret.
- Have the correct role bindings to pull and push to the registry. For more information, see Accessing the Registry.
- Create and delete projects in your cluster. For OpenShift installations, a project is created when you run oc new-project.
Create an OpenShift project for Prisma Cloud
- Login to the OpenShift cluster and create the twistlock project:$ oc new-project twistlock
(Optional) Push the Prisma Cloud images to a private registry
When Prisma Cloud is deployed to your cluster, the images are retrieved from a registry. You have a number of options for storing the Prisma Cloud Console and Defender images:
- OpenShift internal registry.
- Private Docker v2 registry. You must create a docker-secret to authenticate with the registry.
Your cluster nodes must be able to connect to the Prisma Cloud cloud registry (registry-auth.twistlock.com) with TLS on TCP port 443.
This guides shows you how to use both the OpenShift internal registry and the Prisma Cloud cloud registry. If you’re going to use the Prisma Cloud cloud registry, you can skip this section. Otherwise, this procedure shows you how to pull, tag, and upload the Prisma Cloud images to the OpenShift internal registry’s twistlock imageStream.
- Determine the endpoint for your OpenShift internal registry. Use either the internal registry’s service name or cluster IP.$ oc get svc -n default NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE docker-registry ClusterIP 172.30.163.181 <none> 5000/TCP 88dPull the image from the Prisma Cloud cloud registry using your access token. The major, minor, and patch numerals in the <VERSION> string are separated with an underscore. For exampe, 18.11.128 would be 18_11_128.$ docker pull \ registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/defender:defender_<VERSION>Tag the image for the OpenShift internal registry.$ docker tag \ registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/defender:defender_<VERSION> \ 172.30.163.181:5000/twistlock/private:defender_<VERSION>Push the image to the twistlock project’s imageStream.$ docker push 172.30.163.181:5000/twistlock/private:defender_<VERSION>
- Option 1 - remove taint all nodes:$ oc adm taint nodes --all node-role.kubernetes.io/master-Option 2 - remove taint from specific nodes:$ oc adm taint nodes <node-name> node-role.kubernetes.io/master-Option 3 - add tolerations to the twistlock-defender-ds DaemonSet:$ oc edit ds twistlock-defender-ds -n twistlockAdd the following toleration in PodSpec (DaemonSet.spec.template.spec)tolerations: - key: "node-role.kubernetes.io/master" operator: "Exists" effect: "NoSchedule"
Use OC to Deploy the Defender
You can deploy Defenders using the OpenShift OC.
Control Defender deployments with taint
You can deploy Defenders to all nodes in an OpenShift cluster (master, infra, compute). OpenShift Container Platform automatically taints infra and master nodes These taints have the NoSchedule effect, which means no pod can be scheduled on them.
To run the Defenders on these nodes, you can either remove the taint or add a toleration to the Defender DaemonSet. Once this is done, the Defender Daemonset will automatically be deployed to these nodes (no need to redeploy the Daemonset). Adjust the guidance in the following procedure according to your organization’s deployment strategy.