1. Overview

VMware Tanzu Kubernetes Grid (TKG) lets you deploy Kubernetes clusters on demand. Use our standard Kubernetes install procedure to deploy Prisma Cloud to TKG. The only difference between TKG and standard Kubernetes is the location of the Docker socket.

2. Preflight checklist

To ensure that your installation goes smoothly, work through the following checklist and validate that all requirements are met.

2.1. General

  • You have access to a Prisma Cloud tenant.

  • You have adequate permissions (i.e. role) to deploy Defenders.

2.2. Cluster

  • Prisma Cloud Defender requires elevated privileges. Ensure that the following permissions are set in your TKG cluster:

    • Set Privileged Containers to true (enabled).

    • Set DenyEscalatingExec to false (disabled). After Prisma Cloud is installed, you can utilize it to deny other privileged containers from starting and deny escalation of privileges.

  • The nodes in your cluster can reach Prisma Cloud’s cloud registry (registry-auth.twistlock.com).

2.3. Permissions

  • You can create and delete namespaces in your cluster.

  • You can Run kubectl create commands.

2.4. Firewalls and external IP addresses

Validate that the following ports are open:

Prisma Cloud Defenders:

  • Incoming: None

  • Outgoing: 443 to Prisma Cloud

3. Install Prisma Cloud Defender DaemonSet

The standard location of the Docker socket in Kubernetes is /var/run/docker.sock. In TKG, the Docker socket can be located in either /var/vcap/data/sys/run/docker/docker.sock or /var/vcap/sys/run/docker/docker.sock. Before you deploy your Defender DaemonSet, you must manually update the Defender DaemonSet configuration file with the path to the Docker socket.

  1. Use the standard procedure for generating a standard DaemonSet file.

    The DaemonSet file can be generated from the Prisma Cloud UI. Go to Prisma Cloud > Compute > Defenders > Deploy > DaemonSet and configure your deployment. At the bottom of the page, choose Download YAML directly.

  2. Open defender.yaml for editing, and update the file so Defender can find the Docker socket.

    1. In volumeMounts, name: docker-sock-folder, set mountPath to:

      mountPath: "/var/vcap/data/sys/run/docker"
    2. In env, name: _DOCKER_CLIENT_ADDRESS, set value to:

      value: "/var/vcap/data/sys/run/docker/docker.sock"
    3. In volumes, name: docker-sock-folder, hostPath, set path to:

      path: "/var/vcap/data/sys/run/docker"
  3. Deploy your Defender DaemonSet.

    1. Create the Twistlock namespace.

      $ kubectl create namespace twistlock
    2. Deploy the Defender DaemonSet.

      $ kubectl create -f defender.yaml