System Requirements
Before installing Prisma Cloud, verify that your environment meets the minimum requirements.
For information about when Prisma Cloud adds and drops support for third party software, see our support lifecycle page.
Hardware
Prisma Cloud supports
x86_64
and ARM64
architectures.
Ensure that your systems meet the following hardware requirements.Defender Resource Requirements
Each Defender requires 256MB of RAM and 8GB of host storage.
The Defender uses cgroups to cap resource usage at 512MB of RAM and 900 CPU shares where a typical load is ~1-5% CPU and 30-70MB RAM.
The Defender stores its data in the /var folder.
When allocating disk space for Defender, ensure the required space is available in the /var folder.
Defenders are designed to be portable containers that collect data.
Any data that must be persisted is sent to the Prisma Cloud Console for storage.
Defenders don’t require persistent storage.
If you deploy persistent storage for Defenders, it can corrupt Defender files.
If Defenders provide registry scanning they require the following resources:
- Defenders providing registry scanning--
- 2GB of RAM
- 20GB of storage
- 2 CPU cores Defenders that are part of CI integrations (Jenkins, twistcli) require storage space depending on the size of the scanned images. The required disk space is 1.5 times the size of the largest image to be scanned, per executor. For example, if you have a Jenkins instance with two executors, and your largest container image is 500MB, then you need at least 1.5GB of storage space: 500MB x 1.5 x 2
Virtual Machines (VMs)
Prisma Cloud has been tested on the following hypervisors:
- VMware for Tanzu Kubernetes Grid Multicloud (TKGM)
- VMware for Tanzu Kubernetes Grid Integrated (TKGI)
Cloud Platforms
Prisma Cloud can run on nearly any cloud Infrastructure as a Service (IaaS) platform.
Prisma Cloud has been tested on the following services:
- Amazon Web Services (AWS)
- Google Cloud Platform
- IBM Cloud
- Microsoft Azure
- Oracle Cloud Infrastructure (OCI)
ARM Architecture Requirements
The following setups support Prisma Cloud on ARM64 architecture:
- Cloud provider
- AWSGraviton2 processors
- GCPGKE on ARM using the Tau T2A machine series
- Supported Defenders:
- Orchestrator Defenders on AWS and GCP
- Host Defenders including auto-defend on AWS
- The twistcli is supported on Linux ARM64 instances.
Learn more in the Supported Operating Systems on ARM64 and Supported Orchestrators on ARM64 sections.
The Prisma Cloud Console doesn’t support running on ARM64 systems.
Host Operating Systems
Prisma Cloud is supported on both x86_64 and ARM64
Supported Operating Systems on x86_64
Prisma Cloud is supported on the following host operating systems on x86_64 architecture:
Distro | Version |
---|---|
Amazon Linux 2 | AMI name: amzn2-ami-hvm-2.0.20220426.0-x86_64-gp2 AMI ID: ami-06eecef118bbf9259 |
Bottlerocket OS | Tested version: 1.7.0 Containerd v1.5.11 Kernel version: 5.10.102 Kubelet version: v1.22.6-eks-b18cdc9
|
CentOS | CentOS 7 CentOS 8 |
Debian | Debian 10 Debian 11 |
GCOOS | Container-Optimized OS on Google Cloud latest GCOOS is purposefully minimalistic. It doesn’t support installing new packages or writing new bins. Hence, Prisma Cloud’s vulnerability detection on GCOOS only covers Docker and Kubernetes package binary detection. Runtime prevent capability is supported only for DNS events. Other prevent capabilities are not supported. |
Red Hat Enterprise Linux | Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 |
Red Hat Enterprise Linux CoreOS (RHCOS) | Red Hat Enterprise Linux CoreOS (RHCOS) versions included in OpenShift versions: 4.8, 4.9, and 4.10 |
SUSE | SLES-12 SP5 SLES 15 - Only Host Defenders are supported. SLES 15 SP1 - SP4 - Only Host Defenders are supported. |
Ubuntu | Ubuntu 22.04 LTS Ubuntu 18.04 LTS |
VMware | Photon OS 3.0 - Runtime scanning supported with kernel version >= 4.19.191-1 Photon OS 4.0 - Runtime scanning not supported The following use features are currently not supported in Photon 3.0 and 4.0:
|
Windows | Windows Server 2016 Windows Server 2019 Long-Term Servicing Channel (LTSC) Windows on ARM64 architecture is not supported Defender is supported on Windows Server 2016 (vulnerability and compliance scanning), and Windows Server 2019 (vulnerability scanning, compliance scanning, and runtime defense for containers). |
Supported Operating Systems on ARM64
Prisma Cloud is supported on the following host operating systems on ARM64 architecture in AWS:
Distro | Version |
---|---|
Amazon Linux 2 | AMI Image: amzn-ami-hvm-2018.03.0.20220315.0-x86_64-gp2 AMI ID: ami-0f7691f59fd7c47af |
CentOS | AMI Image: CentOS-8-ec2-8.3.2011-20210302.1.arm64-a14b8c70-a48b-4a94-87b3-5dc93b3f6be8 AMI ID: ami-0446e1158fe3f255a |
Debian | AMI Image: debian-10-arm64-20210208-542 AMI ID: ami-08b2293fdd2deba2a |
Photon | aws- no photon image |
Redhat Enterprise Linux (RHEL) | AMI Image: RHEL-8.4.0_HVM-20210504-arm64-2-Hourly2-GP2 AMI ID: ami-01fc429821bf1f4b4 |
Ubuntu | AMI Image: ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-arm64-server-20211129 AMI ID: ami-0a940cb939351ccca AMI Image: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-arm64-server-20211129 AMI ID: ami-0b49a4a6e8e22fa16 |
Kernel Capabilities
Prisma Cloud Defender requires the following kernel capabilities.
More info about each capability can be found on the Linux capabilities man page.
When running on a Docker host, Prisma Cloud Defender uses the following files/folder on the host:
- /var/run/docker.sock — Required for accessing Docker runtime.
- /var/lib/twistlock — Required for storing Prisma Cloud data.
- /dev/log — Required for writing to syslog.
Docker Engine
Prisma Cloud supports only the versions of the Docker Engine supported by Docker itself. Prisma Cloud supports only the following official mainstream Docker releases and later versions.
- Community Edition (CE):
- 18.06.1
- 20.10.7
- 20.10.13
- Enterprise Edition (EE):
- 19.03.4
- 19.03.8
For more information, review Docker’s guide to select a storage driver.
The versions of Docker Engine listed apply to versions you independently install on a host.
The versions shipped as a part of an orchestrator, such as Red Hat OpenShift, might defer.
Prisma Cloud supports the version of Docker Engine that ships with any Prisma Cloud-supported version of the orchestrator.
OCI Runtimes
Prisma Cloud supports the following container runtimes:
Container runtime | Version |
---|---|
Docker | See the Docker section |
Native Kubernetes 1.22.9 (containerd 1.6.4) Native Kubernetes 1.23.3 (containerd 1.4.12) Supported versions are listed in the orchestration section | |
OS 4.8 - CRIO version 1.21.3 OS 4.9- CRIO version 1.22.3 OS 4.10- CRIO version 1.23.1 K8s native - versions 1.22, 1.23 (x86_64 Arch) |
Podman
Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux. The twistcli tool can use the preinstalled Podman binary to scan CRI images.
Podman v1.6.4, v3.0.1, v4.0.2
Helm
Helm is a package manager for Kubernetes that allows developers and operators to more easily package, configure, and deploy applications and services onto Kubernetes clusters.
Helm v3.9 is supported.
Orchestrators
Prisma Cloud is supported on the following orchestrators.
We support the following versions of official mainline vendor/project releases.
Supported Orchestrators on x86_64
Orchestrator | Version |
---|---|
Azure Kubernetes Service (AKS) | Linux on AKS: v1.22.6, v1.23.5 (containerd 1.5.11) Windows on AKS: v1.22.6, v1.23.3 |
Bottlerocket | Bottlerocket OS 1.7.0 (aws-k8s-1.22) containerd 1.5.11 Kernel version: 5.10.102 Kubelet version: v1.22.6-eks-b18cdc9 The following features are not supported.
|
Elastic Container Service (ECS) | ECS Fargate Console: Fargate Platform 1.4.0 ECS x86 Console: AMI Image: amzn2-ami-ecs-hvm-2.0.20220509-x86_64-ebs AMI ID: ami-061c10a2cb32f3491 ECS agent version: 1.61.0 Docker version:20.10.13 |
Elastic Kubernetes Service (EKS) | EKS 1.21.9 (containerd 1.4.13) EKS 1.22.6 (containerd 1.4.6) |
Google Kubernetes Engine (GKE) | GKE 1.21.11 (containerd 1.4.8) GKE 1.22.8 (containerd 1.5.4) GKE 1.23.7 (containerd 1.5.11) |
Google Kubernetes Engine (GKE) autopilot | GKE autopilot 1.21.11 (containerd 1.4.8) Custom Compliance and Prevent (Runtime) are not supported on GKE autopilot. |
Kubernetes (k8s) | k8s 1.22.9 (CRIO 1.22.3) k8s 1.23.3 (CRIO 1.23.1) k8s 1.22.9 (containerd 1.6.4) k8s 1.23.3 (containerd 1.4.12) k8s 1.23.8 Docker 20.10.17 |
Lightweight Kubernetes (k3s) | k3s version: 1.21.7+k3s1 (containerd 1.4.12-k3s1) On Linux/AMD64:
|
OpenShift | OpenShift versions: 4.8, 4.9, and 4.10 |
Rancher Kubernetes Engine (RKE) | RKE2 v1.22.5+rke2r1 (containerd 1.5.8-k3s) |
VMware Tanzu Application Service (TAS) | v2.11, v2.12, v2.13 |
VMware Tanzu Kubernetes Grid Integrated (TKGI) | TKGi version: TAS TKGI 1.14 Kernel Version: 4.15.0-184-generic containerd version: 1.6.0 OS version: Ubuntu 16.0.4.7 LTS |
VMware Tanzu Kubernetes Grid Multicloud (TKGM) | TKG Multicloud 1.5.1 vSphere 6.7U3
|
Supported Orchestrators on ARM64
Prisma Cloud supports the official releases of the following orchestrators for the ARM64 architecture.
Orchestrator | Version |
---|---|
Elastic Container Service (ECS) | AMI name: amzn2-ami-ecs-hvm-2.0.20220411-arm64-ebs ECS agent 1.61.0 Docker 20.10.7 |
Elastic Kubernetes Service (EKS) | EKS v1.21.5 (containerd 1.4.6) |
GKE on ARM | GKE version: v1.24.1-gke.1400 containerd version: 1.6.2 Defenders running in GKE on ARM don’t support the following features:
While Prevent is not supported, runtime detection is supported for processes and file system events. |
Kubernetes with containerd | Kubernetes 1.23.5 (containerd 1.5.11) |
Kubernetes with Docker | Docker Engine version: 20.10.14 API version:1.41 Go Version: go1.16.15 |
OpenShift | OpenShift 4.10 (CRI-O 1.23) |
Istio
Prisma Cloud supports Istio 1.13.4.
Jenkins
Prisma Cloud supports Jenkins 2.235.1, 2.319.1, and the 2.319.2 container version.
The Prisma Cloud Jenkins plugin supports Jenkins LTS releases greater than 2.319.1.
For any given release of Prisma Cloud, the plugin supports those Jenkins LTS releases supported by the Jenkins project at the time of the Prisma Cloud release.
The Jenkins plugin is not supported on ARM64 architecture.
Image Base Layers
Prisma Cloud can protect containers built on nearly any base layer operating system.
Comprehensive Common Vulnerabilities and Exposures (CVE) data is provided for the following base layers for all versions except EOL versions:
- Alpine
- Amazon Linux 2
- BusyBox
- CentOS
- Debian
- Red Hat Enterprise Linux
- SUSE
- Ubuntu (LTS releases only)
- Windows Server
If a CVE doesn’t have an architecture identifier, the CVE is related to all architectures.
Serverless Runtimes
Prisma Cloud can protect AWS Lambda functions at runtime. Prisma Cloud supports the following runtimes:
Serverless Runtimes Using Lambda Layers
- Node.js 12.x, 14.x
- Python 3.6, 3.7, 3.8, 3.9
- Ruby 2.7
Serverless Runtimes Using Manually Embedded Defenders in AWS
- C# (.NET Core 3.1)
- Java 8, 11
- Node.js 12.x, 14.x
- Python 3.6, 3.7, 3.8, 3.9
- Ruby 2.7
Prisma Cloud can also scan serverless functions for vulnerabilities and compliance benchmarks.
Prisma Cloud supports the following runtimes for vulnerability and compliance scans in AWS Lambda, Google Cloud Functions, and Azure Functions:
Serverless Vulnerability and Compliance Scanning
- Node.js 12.x, 14.x
- Python 3.6, 3.7, 3.8, 3.9
- Ruby 2.7
Serverless WAAS Functions
- Java 11
- Node.js 12.x, 14.x
- Python 3.6, 3.7, 3.8, 3.9
- Ruby 2.7
Serverless Runtimes Using Manually Embedded Defenders in Azure
- C# 3 (.NET Core 3.1)
- C# 5 (.NET Core 4.0)
- C# 6 (.NET Core 4.0)
Go
Prisma Cloud can detect vulnerabilities in Go executables for Go versions 1.13 and greater.
Shells
For Linux, Prisma Cloud depends on the Bash shell.
For Windows, Prisma Cloud depends on PowerShell.
The shell environment variable DOCKER_CONTENT_TRUST should be set to 0 or unset before running any commands that interact with the Prisma Cloud cloud registry, such as Defender installs or upgrades.
Browsers
Prisma Cloud supports the latest versions of Chrome, Safari, and Edge.
For Microsoft Edge, only the new Chromium-based version (80.0.361 and later) is supported.
Cortex XDR
Prisma Cloud Defenders can work alongside Cortex XDR agents.
Currently, users need to manually add exceptions in Console for both agents to work together.
In a future release, there will be out-of-the-box support for co-existence.
Users can disable the Defender runtime defense when a Cortex XDR agent is present.
To allow for both the solutions to co-exist:
- Add the Cortex agent as a trustable executable. For more information, see to Creating a trusted exeuctable.
- Suppress runtime alerts from the Cortex agent by adding custom runtime rules that allow the Cortex agent process and file path.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.