This procedure is optimized to get Prisma Cloud installed and set up in your Docker Swarm cluster quickly. There are many ways to install Prisma Cloud, but we recommend that you start with this procedure first. You can tweak the install procedure after you have validated that this install method works.
The Prisma Cloud install supports Docker Swarm using Swarm-native constructs. Deploy Defender as a global service to guarantee that Defender is automatically deployed to every worker node with a simple one-time configuration.
Install Prisma Cloud
After completing this procedure, Prisma Cloud Defenders will run in your Swarm cluster. In this procedure, Prisma Cloud images are pulled from Prisma Cloud’s cloud registry.
Prisma Cloud doesn’t support deploying Defender as a global service when SELinux is enabled on your underlying hosts. Defender requires access to the Docker socket to monitor your environment and enforce your policies. SELinux blocks access to the Docker socket because it can be a serious security issue. Unfortunately, Swarm doesn’t provide a way for legitimate services to run with elevated privileges. None of the --security-opts, --privileged, or --cap-add flags are supported for Swarm services. As a work-around, install single Container Defenders on each individual node in your cluster.
Defender is installed as a global service, which ensures it runs on every node in the cluster. Console provides a GUI to configure all the options required to deploy Defender into your environment.
- Open Console.
- Go toManage > Defenders > Names.
- Go toCompute > Manage > Defenders > Deploy > Swarm.
- Work through each of the configuration options:
- Observe the DNS name Defenders will use to connect to Console. Verify that this address is reachable from the nodes where Defender will run.
- Choose the registry that hosts the Defender image. SelectPrisma Cloud’s registry.
- SetDeploy Defenders with SELinux PolicytoOff.
- Copy the generated curl-bash command.
- Connect to your Swarm master.$ ssh <SWARM-MASTER>
- Paste the curl-bash command into your shell, then run it. You need sudo privileges to run this command.$ curl -sSL -k --header "authorization: Bearer <TOKEN>" ...
- Validate that the Defender global service is running.Open Console, then go toManage > Defenders > Manage. The table lists all Defenders deployed to your environment (one per node).
To uninstall Prisma Cloud, delete the Defender global service.
- Delete the Defender global service.
- Open Console, then go toManage > Defenders > Deploy Swarm.
- Scroll to the bottom of the page, then copy the last curl-bash command, where it saysThe script below uninstalls the Swarm Defenders from the cluster.
- Connect your Swarm master.$ ssh <SWARM-MASTER>
- Paste the curl-bash command into your shell, then run it.$ curl -sSL -k --header "authorization: Bearer <TOKEN>" ...
Using a private registry
For maximum control over your environment, you might want to store the Prisma Cloud container images in your own private registry, and then install Prisma Cloud from your private registry.
You can host the Defender image in your own private registry. Retrieve the image from Prisma Cloud’s registry, and then push it to your own registry. For Swarm deployments, Prisma Cloud supports only Docker Hub and Docker Trusted Registry registries.
Recommended For You
Recommended videos not found.