VMware Tanzu Enterprise PKS

VMware Enterprise PKS lets you deploy Kubernetes clusters on demand. Use our standard Kubernetes install procedure to deploy Prisma Cloud to PKS. The only difference between PKS and standard Kubernetes is the location of the Docker socket.

Preflight checklist

To ensure that your installation goes smoothly, work through the following checklist and validate that all requirements are met.

General

  • You have access to a Prisma Cloud tenant.
  • You have the permissions to deploy Defenders.

Cluster

  • Prisma Cloud Defender requires elevated privileges. Ensure that the following permissions are set in your PKS cluster:
    • Set Privileged Containers to true (enabled).
    • Set DenyEscalatingExec to false (disabled). After Prisma Cloud is installed, you can utilize it to deny other privileged containers from starting and deny escalation of privileges.
  • The nodes in your cluster can reach Prisma Cloud’s cloud registry (registry-auth.twistlock.com).

Permissions

  • You can create and delete namespaces in your cluster.
  • You can Run
    kubectl create
    commands.

Firewalls and external IP addresses

Validate that the following ports are open:
Prisma Cloud Defenders
:
  • Incoming: None
  • Outgoing: 443 to Prisma Cloud

Install Prisma Cloud Defender DaemonSet

The standard location of the Docker socket in Kubernetes is
/var/run/docker.sock
. In PKS, the Docker socket can be located in either
/var/vcap/data/sys/run/docker/docker.sock
or
/var/vcap/sys/run/docker/docker.sock
. Before you deploy your Defender DaemonSet, you must manually update the Defender DaemonSet configuration file with the path to the Docker socket.
  1. Use the standard procedure for generating a standard DaemonSet file.
    The DaemonSet file can be generated from the Prisma Cloud UI. Go to
    Prisma Cloud > Compute > Defenders > Deploy > DaemonSet
    and configure your deployment. At the bottom of the page, choose
    Download YAML directly
    .
  2. Open
    defender.yaml
    for editing, and update the file so Defender can find the Docker socket.
    1. In
      volumeMounts
      ,
      name: docker-sock-folder
      , set
      mountPath
      to:
      mountPath: "/var/vcap/data/sys/run/docker"
    2. In
      env
      ,
      name: _DOCKER_CLIENT_ADDRESS
      , set
      value
      to:
      value: "/var/vcap/data/sys/run/docker/docker.sock"
    3. In
      volumes
      ,
      name: docker-sock-folder
      ,
      hostPath
      , set
      path
      to:
      path: "/var/vcap/data/sys/run/docker"
  3. Deploy your Defender DaemonSet.
    1. Create the Twistlock namespace.
      $ kubectl create namespace twistlock
    2. Deploy the Defender DaemonSet.
      $ kubectl create -f defender.yaml

Recommended For You