1. Overview

VMware Tanzu Kubernetes Grid (TKG) lets you deploy Kubernetes clusters on demand. Use our standard Kubernetes install procedure to deploy Prisma Cloud to TKG. The only difference between TKG and standard Kubernetes is the location of the Docker socket. A single line change in the Prisma Cloud configuration file lets you specify the path to the Docker socket in TKG. From there, follow the normal Kubernetes install procedure.

2. Preflight checklist

To ensure that your installation goes smoothly, work through the following checklist and validate that all requirements are met.

2.1. General

  • You have a valid Prisma Cloud license key and access token.

2.2. Cluster

  • You have provisioned a TKG cluster that meets the minimum system requirements.

  • Prisma Cloud Defender requires elevated privileges. Ensure that the following permissions are set in your TKG cluster:

    • Set Privileged Containers to true (enabled).

    • Set DenyEscalatingExec to false (disabled). After Prisma Cloud is installed, you can utilize it to deny other privileged containers from starting and deny escalation of privileges.

  • The nodes in your cluster can reach Prisma Cloud’s cloud registry (registry-auth.twistlock.com).

2.3. Permissions

  • You can create and delete namespaces in your cluster.

  • You can Run kubectl create commands.

2.4. Firewalls and external IP addresses

Validate that the following ports are open:

Prisma Cloud Console:

  • Incoming: 8083, 8084

  • Outgoing: 443, 53

Prisma Cloud Defenders:

  • Incoming: None

  • Outgoing: 8084

3. Install Prisma Cloud

Prepare your TKG environment, then use the standard procedure for installing Prisma Cloud on Kubernetes.

3.1. Download the Prisma Cloud software

Download the Prisma Cloud software to your cluster’s controller node.

  1. Download the current recommended release.

  2. Download the release tarball to your cluster controller.

    $ wget <LINK_TO_CURRENT_RECOMMENDED_RELEASE_LINK>
  3. Unpack the Prisma Cloud release tarball.

    $ mkdir twistlock
    $ tar xvzf twistlock_<VERSION>.tar.gz -C twistlock/
  4. Open twistlock/twistlock.cfg and set the path to the Docker socket.

    DOCKER_SOCKET=${DOCKER_SOCKET:-/var/vcap/data/sys/run/docker/docker.sock}
  5. In twistlock.cfg, set RUN CONSOLE AS ROOT to true.

    RUN_CONSOLE_AS_ROOT=${RUN_CONSOLE_AS_ROOT:-true}

3.2. Install Console and Defenders

Proceed with the standard instructions for installing Prisma Cloud on Kubernetes.