1. Overview

This guide demonstrates how to deploy Prisma Cloud Defenders outside the OpenShift cluster where Prisma Cloud Console is running. You need to expose the Prisma Cloud-Console service’s TCP ports 8083 and 8084 as external OpenShift routes. Each route will be an unique, fully qualified domain name. In this example, you deploy Prisma Cloud Defenders as a DaemonSet in a second OpenShift cluster and to a Windows Server 2016 with Containers node. Prisma Cloud API calls are made to the Prisma Cloud-Console external OSE router https://console1.apps.jonathan.lab.twistlock.com The Prisma Cloud Defenders will communicate to the Console via wss://defenders.apps.jonathan.lab.twistlock.com:443

Prerequisites:

  • The Prisma Cloud Console is fully operational. See the Prisma Cloud ref:../install/install_openshift_3_11.adoc[OpenShift 3.11] and OpenShift 4 deployment guides.

  • An existing OpenShift external route to the Prisma Cloud-Console’s TCP port 8083 (Prisma Cloud UI and API)

2. OpenShift and Prisma Cloud Console configuration

All commands are run from a system that is external to the OpenShift Cluster using the oc and twistcli commands.

  1. Log into the OpenShift Cluster running the Prisma Cloud Console.

  2. Go to Prisma Cloud Project > Applications > Routes.

  3. Create New Route.

    1. Name: twistlock-defender.

    2. Hostname: defenders.apps.jonathan.lab.twistlock.com.

    3. Target Port: 8084 → 8084.

    4. Security:

      • TLS Termination: Passthrough.

      • Insecure Traffic: Redirect.

        external defender openshift router
  4. Add the new route to the Prisma Cloud Console’s SubjectAlternativeName.

    1. In the Prisma Cloud Console go to Manage > Defenders > Names.

    2. Click Add SAN.

    3. Add the new route FQDN defenders.apps.jonathan.lab.twistlock.com.

      external defender openshift san

3. Deploy Prisma Cloud Defender Daemonset in Second OpenShift Cluster

Using the twistcli tool generate the Prisma Cloud Defender defender.yaml file.

  1. Run the command:

    $ linux/twistcli defender export openshift \
      --address https://console1.apps.jonathan.lab.twistlock.com \
      --cluster-address defenders.apps.jonathan.lab.twistlock.com \
      --namespace twistlock \
      --selinux-enabled
  2. Edit the resulting defender.yaml and change:

      - name: WS_ADDRESS
                value: wss://defenders.apps.jonathan.lab.twistlock.com:8084

    to:

      - name: WS_ADDRESS
                value: wss://defenders.apps.jonathan.lab.twistlock.com:443
  3. oc login to the OpenShift Cluster you will be deploying the Prisma Cloud Defenders to.

  4. Create the Prisma Cloud Project oc new-project twistlock.

  5. Deploy the Twislock Defender daemonset oc create -f ./defender.yaml.

  6. The Defenders in the second OpenShift Cluster will appear in the Prisma Cloud Console’s Manage > Defenders > Manage.

    external defender openshift ds

4. Deploy Prisma Cloud Defender on Windows Server 2016 w/ Containers Node

Deploy Prisma Cloud Defender on a Windows Server 2016 node.

  1. Log into Prisma Cloud Console.

  2. Go to Manage > Defenders > Deploy.

    1. 1.a = console1.apps.jonathan.lab.twistlock.com.

    2. 1.b = Docker on Windows.

      external defender openshift windows
  3. Copy the powershell script that is generated in 1.c.

  4. Modify the following in the script:

    1. Remove “:8083” from the -Uri.

      -Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1"
    2. Change the -consoleCN to the twistlock-defender FQDN and add the -wsPort 443 variable.

      -consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443
  5. The resulting script looks similar to the following:

    add-type "using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; }}"; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy; Invoke-WebRequest -Uri "https://console1.apps.jonathan.lab.twistlock.com/api/v1/scripts/defender.ps1" -Headers @{"authorization" = "Bearer <token>" } -OutFile defender.ps1; .\defender.ps1 -type dockerWindows -consoleCN defenders.apps.jonathan.lab.twistlock.com -wsPort 443 -install
  6. On the Windows Server node, run the script in a Powershell x64 shell.

  7. The Windows Prisma Cloud Defender will appear in Manage > Defenders > Manage.

    external defender openshift windowsnode