1. Overview

As our customers’ usage of containers and cloud native technology continues to mature, they often need longer product support lifecycles to accommodate enterprise class operational cadences. We’re announcing the following changes, effective in Prisma Cloud Compute "Iverson", which will ship in the second half of calendar year 2021:

2. Extending support lifecycle to N-2

  • Currently, the Compute support lifecycle is the current major version and the previous major version ("N-1").

  • Beginning in Iverson, support will extend to the previous 2 major versions ("N-2").

  • Given our ~4 month major release cadence, this is effectively a full year of support for any given major release.

3. Defender <-> Console backwards compatibility

  • Defenders from any supported version will be able to connect to Consoles of the same or greater version.

  • This will be phased in, beginning with the Iverson release, which will support Defenders running either Iverson or Hamilton.

  • Joule Consoles will support Defenders running either Joule or Iverson or Hamilton.

  • twistcli and the Jenkins plugin will also provide this same backwards compatibility model.

  • Once a customer upgrades Defenders to Hamilton, they will not need to upgrade them again for 1 year, even as they upgrade their Consoles.

4. Versioned API with guaranteed reliable endpoint behaviors

  • Currently, the Compute API is not versioned between releases, though there are a set of APIs which very rarely change documented in our API Stability Guide.

  • Beginning in Iverson, each release of Console will include versioned API endpoints for the prior supported releases, with a guarantee that the included endpoint behaviors will remain constant for a given version.

  • Only APIs covered in the Stability Guide are included in these versioned endpoints; access to other APIs will not be actively prevented but they will be unsupported, undocumented, and may change at any time.

  • This will be phased in, beginning with the Iverson release, which will include a /v-Iverson endpoint as well as the existing /v1 endpoint.

  • Joule will include a /v-Joule and a /v-Iverson endpoint, and the existing /v1 endpoint; Kepler will include /v-Kepler, /v-Joule, and /v-Iverson.

5. Removal of Defender auto-upgrade feature

  • Given lengthened supportability lifecycle and the introduction of Defender <-> Console version compatibility throughout it, customers will now have much longer times between required Defender upgrades (approximately only once per year).

  • Accordingly, to simplify upgrade flows and enable thorough testing of upgrade scenarios, Defender auto-upgrade will be removed from the product beginning in Iverson.

  • This change impacts both SaaS customers (Enterprise Edition) and self-host (Compute Edition) customers.

  • Customers that currently have auto-upgrade enabled will simply no longer have Defenders automatically upgraded after this change and no action is required on their part to decommission the feature.

  • Customers can take advantage of the wide variety of deployment and upgrade options already available in the product to upgrade Defenders at their own pace to keep them within the new N-2 support lifecycle.