1. Overview

Container orchestrators provide native capabilities for deploying agents, such as Defender, to every node in the cluster. Prisma Cloud leverages these capabilities to install Defender.

The process for deploying Container Defender to a cluster can be found in the dedicated orchestrator-specific install guides.

If you wish to automate the defenders deployment process to a cluster, or you don’t have kubectl access to your cluster (or oc access for OpenShift), you can deploy Defender DaemonSets directly from the Console UI.

This Defender install flow doesn’t let you manually configure a cluster name. Cluster names let you segment your views of the environment. For most cases, this shouldn’t be a problem because if you’re deploying to a managed cluster, then Prisma Cloud retrieves the cluster name directly from the cloud provider. If you must manually specify a name, deploy your Defenders from Manage > Defenders > Deploy > DaemonSet or use twistcli.

2. Deploy Defender DaemonSet using kubeconfig

Prerequisites:

  • You’ve created a kubeconfig credential for your cluster so that Prisma Cloud can access it to deploy the Defender DaemonSet.

Deployment process:

  1. Log into Prisma Cloud Console.

  2. Go to Manage > Defenders > Manage.

  3. Click DaemonSets.

  4. For each cluster in the table, click Actions > Deploy.

    The table shows a count of deployed Defenders and their version number.

3. Deploy Defender DaemonSet for GKE

Prerequisites:

  • You have a GKE cluster deployed

  • You’ve created a corresponding Service Account key in JSON format. The Service Account should have the following permissions:

    • Editor

    • Compute Storage Admin

    • Kubernetes Engine Admin

    • Service Account Token Creator

  • You’ve created a GCP credential for your cluster so that Prisma Cloud can access it to deploy the Defender DaemonSet:

    1. Log into Prisma Cloud Console.

    2. Go to Manage > Authentication > Credentials Store

    3. Click Add credential button

    4. Select type GCP and copy the content of the JSON Service Account key into the Service Account line (take it all including brackets).

To deploy the Defender DaemonSet, use the following procedure.

  1. Log into Prisma Cloud Console.

  2. Go to Manage > Defenders > Manage > DaemonSets.

    When the page is loaded, multiple rows of K8S clusters visible with SA credentials are displayed.

  3. Verify that the status is Success and the Defender count is 0/0 for all relevant clusters.

  4. For each cluster, click Actions > Deploy.

  5. Refresh the view and verify that for each cluster the version is the correct, the status is Success, and the Defender count is equal to the number of cluster nodes.