1. Overview

This procedure is optimized to get Prisma Cloud installed and set up in your Docker Swarm cluster quickly. There are many ways to install Prisma Cloud, but we recommend that you start with this procedure first. You can tweak the install procedure after you have validated that this install method works.

The Prisma Cloud install supports Docker Swarm using Swarm-native constructs. Deploy Defender as a global service to guarantee that Defender is automatically deployed to every worker node with a simple one-time configuration.

2. Install Prisma Cloud

After completing this procedure, Prisma Cloud Defenders will run in your Swarm cluster. In this procedure, Prisma Cloud images are pulled from Prisma Cloud’s cloud registry.

Prisma Cloud doesn’t support deploying Defender as a global service when SELinux is enabled on your underlying hosts. Defender requires access to the Docker socket to monitor your environment and enforce your policies. SELinux blocks access to the Docker socket because it can be a serious security issue. Unfortunately, Swarm doesn’t provide a way for legitimate services to run with elevated privileges. None of the --security-opts, --privileged, or --cap-add flags are supported for Swarm services. As a work-around, install single Container Defenders on each individual node in your cluster.

2.1. Install Defender

Defender is installed as a global service, which ensures it runs on every node in the cluster. Console provides a GUI to configure all the options required to deploy Defender into your environment.

  1. Open Console.

  2. Go to Compute > Manage > Defenders > Deploy > Swarm.

  3. Work through each of the configuration options:

    1. Observe the DNS name Defenders will use to connect to Console. Verify that this address is reachable from the nodes where Defender will run.

    2. Choose the registry that hosts the Defender image. Select Prisma Cloud’s registry.

    3. Set Deploy Defenders with SELinux Policy to Off.

    4. Copy the generated curl-bash command.

  4. Connect to your Swarm master.

    $ ssh <SWARM-MASTER>
  5. Paste the curl-bash command into your shell, then run it. You need sudo privileges to run this command.

    $ curl -sSL -k --header "authorization: Bearer <TOKEN>" ...
  6. Validate that the Defender global service is running.

    Open Console, then go to Compute > Manage > Defenders > Manage. The table lists all Defenders deployed to your environment (one per node).

3. Uninstall

To uninstall Prisma Cloud, delete the Defender global service.

  1. Delete the Defender global service.

    1. Open Console, then go to Manage > Defenders > Deploy Swarm.

    2. Scroll to the bottom of the page, then copy the last curl-bash command, where it says The script below uninstalls the Swarm Defenders from the cluster.

    3. Connect your Swarm master.

      $ ssh <SWARM-MASTER>
    4. Paste the curl-bash command into your shell, then run it.

      $ curl -sSL -k --header "authorization: Bearer <TOKEN>" ...

4. Using a private registry

For maximum control over your environment, you might want to store the Prisma Cloud container images in your own private registry, and then install Prisma Cloud from your private registry.

5. Private registries

You can host the Defender image in your own private registry. Retrieve the image from Prisma Cloud’s registry, and then push it to your own registry. For Swarm deployments, Prisma Cloud supports only Docker Hub and Docker Trusted Registry registries.