diff --git a/admin_guide/install/fragments/install_defender_twistcli_export_oc.adoc b/admin_guide/install/fragments/install_defender_twistcli_export_oc.adoc index da740646..af867203 100644 --- a/admin_guide/install/fragments/install_defender_twistcli_export_oc.adoc +++ b/admin_guide/install/fragments/install_defender_twistcli_export_oc.adoc @@ -2,13 +2,13 @@ == Install Defender Defender is installed as a DaemonSet, which ensures that an instance of Defender runs on every node in the cluster. -Use _twistcli_ to generate a YAML configuration file for the Defender DaemonSet, then deploy it using _kubectl_. +Use _twistcli_ to generate a YAML configuration file or helm chart for the Defender DaemonSet, then deploy it using _oc_ or _kubectl_. You can use the same method to deploy Defender DaemonSets from both macOS and Linux kubectl-enabled cluster controllers. The benefit of declarative object management, where you work directly with YAML configuration files, is that you get the full "source code" for the objects you create in your cluster. You can use a version control tool to manage and track modifications to config files so that you can delete and reliably recreate DaemonSets in your environment. -If you don't have kubectl access to your cluster (or oc access for OpenShift), you can deploy Defender DaemonSets directly from the xref:../install/install_defender/install_cluster_container_defender.adoc[Console UI]. +If you don't have kubectl access to your cluster (or oc access for OpenShift), you can deploy Defender DaemonSets directly from the xref:../install/install_defender/install_cluster_container_defender.adoc[Console UI]. NOTE: The following procedure shows you how to deploy Defender DaemonSets with twistcli using declarative object management. Alternatively, you can generate Defender DaemonSet install commands in the Console UI under *Manage > Defenders > Deploy > DaemonSet*. @@ -33,6 +33,12 @@ It is simply the host part of the URL. .. Copy the address from *1* (*The name that clients and Defenders use to access this Console*). +=== Deployment via Kubernetes YAML files + +The twistcli defender export command can be used to generate native Kubernetes YAML files to deploy the Defender as a DaemonSet. + +==== Openshift 3.9 + . Generate a _defender.yaml_ file, where: + The following command connects to Console's API (specified in _--address_) as user (specified in _--user_), and generates a Defender DaemonSet YAML config file according to the configuration options passed to _twistcli_. @@ -50,7 +56,166 @@ The _--cluster-address_ option specifies the address Defender uses to connect to $ oc create -f ./defender.yaml -. Confirm the Defenders were deployed. +==== Openshift 4 + + . Generate a _defender.yaml_ file, where: ++ +The following command connects to Console's API (specified in _--address_) as user (specified in _--user_), and generates a Defender DaemonSet YAML config file according to the configuration options passed to _twistcli_. +The _--cluster-address_ option specifies the address Defender uses to connect to Console, or Console's service address. ++ + $ /twistcli defender export openshift \ + --address + --user \ + --cluster-address \ + --cri ++ +* can be linux, osx, or windows. +* is the name of a Prisma Cloud user with the System Admin role. + + . Deploy the Defender DaemonSet. + + $ oc create -f ./defender.yaml + +=== Deployment via Helm chart + +. Generate the Defender DaemonSet helm chart. +A number of command variations are provided. +Use them as a basis for constructing your own working command. The following commands connects to Console's API (specified in _--address_) as user (specified in _--user_), and generates a Defender DaemonSet YAML config file according to the configuration options passed to _twistcli_. +The _--cluster-address_ option specifies the address Defender uses to connect to Console, or Console's service address. ++ +*Openshift 3.9: Outside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +Use the OpenShift external route for your Prisma Cloud Console, _--address \https://twistlock-console.apps.ose.example.com_. +Designate Prisma Cloud's cloud registry by omitting the _--image-name_ flag. + + $ /twistcli defender export openshift \ + --address \ + --user \ + --cluster-address \ + --helm ++ +*Openshift 4: Outside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +Use the OpenShift external route for your Prisma Cloud Console, _--address \https://twistlock-console.apps.ose.example.com_. +Designate Prisma Cloud's cloud registry by omitting the _--image-name_ flag. Defining CRI-O as the default container engine by using the _-cri_ flag. + + $ /twistcli defender export openshift \ + --address \ + --user \ + --cluster-address \ + --helm \ + --cri ++ +*Openshift 3.9: Outside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +Use the _--image-name_ flag to designate an image from the OpenShift internal registry. + + $ /twistcli defender export openshift \ + --address \ + --user \ + --cluster-address \ + --image-name 172.30.163.181:5000/twistlock/private:defender_ \ + --helm ++ +*Openshift 4: Outside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +Use the _--image-name_ flag to designate an image from the OpenShift internal registry. Defining CRI-O as the default container engine by using the _-cri_ flag. + + $ /twistcli defender export openshift \ + --address \ + --user \ + --cluster-address \ + --image-name 172.30.163.181:5000/twistlock/private:defender_ \ + --helm \ + --cri ++ +*Openshift 3.9: Inside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +When generating the Defender DaemonSet YAML with twistcli from a node inside the cluster, use Console's service name (twistlock-console) or cluster IP in the _--cluster-address_ flag. +This flag specifies the endpoint for the Prisma Cloud Compute API and must include the port number. + + $ /twistcli defender export openshift \ + --address \ + --user \ + --cluster-address \ + --helm ++ +*Openshift 4: Inside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +When generating the Defender DaemonSet YAML with twistcli from a node inside the cluster, use Console's service name (twistlock-console) or cluster IP in the _--cluster-address_ flag. +This flag specifies the endpoint for the Prisma Cloud Compute API and must include the port number. Defining CRI-O as the default container engine by using the _-cri_ flag. + + $ /twistcli defender export openshift \ + --address \ + --user \ + --cluster-address \ + --helm \ + --cri ++ +*Openshift 3.9: Inside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +Use the _--image-name_ flag to designate an image in the OpenShift internal registry. + + $ /twistcli defender export openshift \ + --address \ + --user \ + --cluster-address \ + --image-name 172.30.163.181:5000/twistlock/private:defender_ \ + --helm ++ +*Openshift 4: Inside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +Use the _--image-name_ flag to designate an image in the OpenShift internal registry. Defining CRI-O as the default container engine by using the _-cri_ flag. + + $ /twistcli defender export openshift \ + --address \ + --user \ + --cluster-address \ + --image-name 172.30.163.181:5000/twistlock/private:defender_ \ + --helm \ + --cri + +====== Openshift 3.9 + +Deploy the helm chart via the helm command + + $ helm install --namespace=twistlock twistlock-defender-helm.tar.gz + +====== Openshift 4 +// https://github.com/twistlock/twistlock/issues/13333 + +Prisma Cloud Defenders Helm charts fail to install on OpenShift 4 clusters due to a Helm bug. +If you generate a Helm chart, and try to install it in an OpenShift 4 cluster, you'll get the following error: + + Error: unable to recognize "": no matches for kind "SecurityContextConstraints" in version "v1" + +To work around the issue, modify the generated Helm chart. + +[.procedure] + +. Unpack the chart into a temporary directory. + + $ mkdir helm-defender + $ tar xvzf twistlock-defender-helm.tar.gz -C helm-defender/ + +. Open _helm-console/twistlock-defender/templates/securitycontextconstraints.yaml_ for editing. + +. Change `apiVersion` from `v1` to `security.openshift.io/v1`. ++ +[source,yaml] +---- +{{- if .Values.openshift }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: +name: twistlock-console +... +---- + +. Repack the Helm chart + + $ cd helm-defender/ + $ tar cvzf twistlock-defender-helm.tar.gz twistlock-defender/ + +. Install the new helm chart via the helm command + + $ helm install --namespace=twistlock -g twistlock-defender-helm.tar.gz + + + +=== Confirm the Defenders were deployed. .. In Prisma Cloud Console, go to *Compute > Manage > Defenders > Manage* to see a list of deployed Defenders. + diff --git a/admin_guide/install/install_kubernetes.adoc b/admin_guide/install/install_kubernetes.adoc index 6c2abb32..3f61deb9 100644 --- a/admin_guide/install/install_kubernetes.adoc +++ b/admin_guide/install/install_kubernetes.adoc @@ -699,47 +699,77 @@ The _kubectl apply_ command lets you make https://kubernetes.io/docs/concepts/cl === Troubleshooting [.section] -==== RBAC issues - -If RBAC is enabled in your cluster, you might get the following error when trying to create a Defender DaemonSet. +==== Pod Security Policy +If Pod Security Policy is enabled in your cluster, you might get the following error when trying to create a Defender DaemonSet. Error creating: pods "twistlock-defender-ds-" is forbidden: unable to validate against any pod security policy ..Privileged containers are not allowed -If you get this error, then you must create a Role and RoleBinding so that Defender can run with the xref:system_requirements.adoc#kernel[privileges] it needs. -Create a Role and RoleBinding for the twistlock namespace. -You can use the following example Role and RoleBinding: +If you get this error, then you must create a PodSecurityPolicy for the defender and the necessary ClusterRole and ClusterRoleBinding for the twistlock namespace. +You can use the following Pod Security Policy, ClusterRole and ClusterRoleBinding: -.Role +.PodSecurityPolicy +[source,yaml] +---- +apiVersion: extensions/v1beta1 +kind: PodSecurityPolicy +metadata: + name: prismacloudcompute-service +spec: + privileged: false + seLinux: + rule: RunAsAny + allowedCapabilities: + - AUDIT_CONTROL + - NET_ADMIN + - SYS_ADMIN + - SYS_PTRACE + - MKNOD + - SETFCAP + volumes: + - "hostPath" + - "secret" + allowedHostPaths: + - pathPrefix: "/etc" + - pathPrefix: "/var" + - pathPrefix: "/run" + - pathPrefix: "/dev/log" + - pathPrefix: "/" + hostNetwork: true + hostPID: true + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny +---- + +.ClusterRole [source,yaml] ---- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - name: twistlock-role - namespace: twistlock + name: prismacloudcompute-defender-role rules: -- apiGroups: - - extensions +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] resourceNames: - - privileged - resources: - - podsecuritypolicies - verbs: - - use + - prismacloudcompute-service ---- -.RoleBinding +.ClusterRoleBinding [source,yaml] ---- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: - name: twistlock-rolebinding - namespace: twistlock + name: prismacloudcompute-defender-rolebinding roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: twistlock-role + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prismacloudcompute-defender-role subjects: - kind: ServiceAccount name: twistlock-service diff --git a/admin_guide/install/install_openshift.adoc b/admin_guide/install/install_openshift.adoc index dc698b13..10aef9eb 100644 --- a/admin_guide/install/install_openshift.adoc +++ b/admin_guide/install/install_openshift.adoc @@ -79,7 +79,6 @@ ifdef::prisma_cloud[] Validate that outbound connections to your Console can be made on port 443. endif::prisma_cloud[] - [#_install_twistlock] === Install Prisma Cloud @@ -207,16 +206,15 @@ For exampe, 18.11.128 would be 18_11_128. endif::prisma_cloud[] - ifdef::compute_edition[] [.task] ==== Install Console -Use the _twistcli_ tool to generate the Prisma Cloud Console deployment YAML. +Use the _twistcli_ tool to generate the Prisma Cloud Console Kubernetes deployment YAML or helm chart. The _twistcli_ tool is bundled with the release tarball. There are versions for Linux, macOS, and Windows. -The _twistcli_ tool generates YAML for a ReplicationContoller, and other service configurations, such as a PersistentVolumeClaim, SecurityContextConstraints, and so on. +The _twistcli_ tool generates YAML files or helm charts for a Deployment and other service configurations, such as a PersistentVolumeClaim, SecurityContextConstraints, and so on. Run the twistcli command with the _--help_ flag for additional details about the command and supported flags. You can optionally customize _twistlock.cfg_ to enable additional features, such as xref:../compliance/extensible_compliance_checks.adoc[custom compliance SCAP scanning]. @@ -227,7 +225,7 @@ There are two ways to provision storage for Console: * *Dynamic provisioning:* Allocate storage for Console link:https://docs.openshift.com/container-platform/3.10/install_config/persistent_storage/dynamically_provisioning_pvs.html[on-demand] at deployment time. -When generating the Console deployment YAML files with _twistcli_, specify the name of the storage class with the _--storage-class_ flag. +When generating the Console deployment YAML files or helm chart with _twistcli_, specify the name of the storage class with the _--storage-class_ flag. Most customers use dynamic provisioning. * *Manual provisioning:* @@ -237,6 +235,8 @@ The NFS server is typically one of the master nodes. Guidance for creating an NFS backed PersistentVolume can be found link:https://docs.openshift.com/container-platform/3.10/install_config/persistent_storage/persistent_storage_nfs.html#overview[here]. Also see <>. +===== Deployment via Kubernetes YAML files + [.procedure] . Generate a deployment YAML file for Console. A number of command variations are provided. @@ -270,6 +270,85 @@ If you omit the _--image-name_ flag, the Prisma Cloud cloud registry is used by + NOTE: You can safely ignore the error that says the twistlock project already exists. +===== Deployment via helm charts + +[.procedure] +. Generate a deployment helm chart for Console. +A number of command variations are provided. +Use them as a basis for constructing your own working command. ++ +*Prisma Cloud Console + dynamically provisioned PersistentVolume + image pulled from the OpenShift internal registry.* + + $ /twistcli console export openshift \ + --storage-class "" \ + --image-name "172.30.163.181:5000/twistlock/private:console_" \ + --service-type "ClusterIP" \ + --helm ++ +*Prisma Cloud Console + manually provisioned PersistentVolume + image pulled from the OpenShift internal registry.* +Using the NFS backed PersistentVolume described in <>, pass the label to the _--persistent-volume-labels_ flag to specify the PersistentVolume to which the PersistentVolumeClaim will bind. + + $ /twistcli console export openshift \ + --persistent-volume-labels "app-volume=twistlock-console" \ + --image-name "172.30.163.181:5000/twistlock/private:console_" \ + --service-type "ClusterIP" \ + --helm ++ +*Prisma Cloud Console + manually provisioned PersistentVolume + image pulled from the Prisma Cloud cloud registry.* +If you omit the _--image-name_ flag, the Prisma Cloud cloud registry is used by default, and you are prompted for your access token. + + $ /twistcli console export openshift \ + --persistent-volume-labels "app-volume=twistlock-console" \ + --service-type "ClusterIP" \ + --helm + +====== Openshift 3.9 + +[.procedure] +. Deploy the helm chart via the helm command. + + $ helm install --namespace=twistlock twistlock-console-helm.tar.gz + +====== Openshift 4 + +// https://github.com/twistlock/twistlock/issues/13333 + +Prisma Cloud Console Helm charts fail to install on OpenShift 4 clusters due to a Helm bug. +If you generate a Helm chart, and try to install it in an OpenShift 4 cluster, you'll get the following error: + + Error: unable to recognize "": no matches for kind "SecurityContextConstraints" in version "v1" + +To work around the issue, modify the generated Helm chart. + +[.procedure] +. Unpack the chart into a temporary directory. + + $ mkdir helm-console + $ tar xvzf twistlock-console-helm.tar.gz -C helm-console/ + +. Open _helm-console/twistlock-console/templates/securitycontextconstraints.yaml_ for editing. + +. Change `apiVersion` from `v1` to `security.openshift.io/v1`. ++ +[source,yaml] +---- +{{- if .Values.openshift }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: twistlock-console +... +---- + +. Repack the Helm chart + + $ cd helm-console/ + $ tar cvzf twistlock-console-helm.tar.gz twistlock-console/ + +. Install the new helm chart via the helm command + + $ helm install --namespace=twistlock -g twistlock-console-helm.tar.gz + endif::compute_edition[] @@ -347,15 +426,25 @@ ifdef::compute_edition[] Prisma Cloud Defenders run as containers on the nodes in your OpenShift cluster. They are deployed as a DaemonSet. -Use the _twistcli_ tool to generate the DaemonSet deployment YAML. +Use the _twistcli_ tool to generate the DaemonSet deployment YAML or helm chart. + The command has the following basic structure -It creates a YAML file named _defender.yaml_ in the working directory. +It creates a YAML file named _defender.yaml_ or a helm chart _twistlock-defender-helm.tar.gz_ in the working directory. + +Example for export of a YAML file: $ /twistcli defender export openshift \ - --address
+ --address
\ --cluster-address -The command connects to Console’s API, specified in _--address_, to generate the Defender DaemonSet YAML config file. +Example for export of a Helm chart: + + $ /twistcli defender export openshift \ + --address
\ + --cluster-address \ + --helm + +The command connects to Console’s API, specified in _--address_, to generate the Defender DaemonSet YAML config file or helm chart. The location where you run twistcli (inside or outside the cluster) dictates which Console address should be supplied. The _--cluster-address_ flag specifies the address Defender uses to connect to Console. @@ -364,12 +453,14 @@ For Defenders deployed outside the cluster, specify either Console’s external If SELinux is enabled on the OpenShift nodes, pass the _--selinux-enabled_ argument to twistcli. +===== Deployment via Kubernetes YAML files + [.procedure] . Generate the Defender DaemonSet YAML. A number of command variations are provided. Use them as a basis for constructing your own working command. + -*Outside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +*Openshift 3.9: Outside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* Use the OpenShift external route for your Prisma Cloud Console, _--address \https://twistlock-console.apps.ose.example.com_. Designate Prisma Cloud's cloud registry by omitting the _--image-name_ flag. @@ -378,7 +469,17 @@ Designate Prisma Cloud's cloud registry by omitting the _--image-name_ flag. --cluster-address 172.30.41.62 \ --selinux-enabled + -*Outside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +*Openshift 4: Outside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +Use the OpenShift external route for your Prisma Cloud Console, _--address \https://twistlock-console.apps.ose.example.com_. +Designate Prisma Cloud's cloud registry by omitting the _--image-name_ flag. Defining CRI-O as the default container engine by using the _cri_ flag. + + $ /twistcli defender export openshift \ + --address https://twistlock-console.apps.ose.example.com \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --cri ++ +*Openshift 3.9: Outside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* Use the _--image-name_ flag to designate an image from the OpenShift internal registry. $ /twistcli defender export openshift \ @@ -387,7 +488,17 @@ Use the _--image-name_ flag to designate an image from the OpenShift internal re --selinux-enabled \ --image-name 172.30.163.181:5000/twistlock/private:defender_ + -*Inside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +*Openshift 4: Outside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +Use the _--image-name_ flag to designate an image from the OpenShift internal registry. Defining CRI-O as the default container engine by using the _cri_ flag. + + $ /twistcli defender export openshift \ + --address https://twistlock-console.apps.ose.example.com \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --image-name 172.30.163.181:5000/twistlock/private:defender_ \ + --cri ++ +*Openshift 3.9: Inside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* When generating the Defender DaemonSet YAML with twistcli from a node inside the cluster, use Console's service name (twistlock-console) or cluster IP in the _--cluster-address_ flag. This flag specifies the endpoint for the Prisma Cloud Compute API and must include the port number. @@ -396,7 +507,17 @@ This flag specifies the endpoint for the Prisma Cloud Compute API and must inclu --cluster-address 172.30.41.62 \ --selinux-enabled + -*Inside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +*Openshift 4: Inside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +When generating the Defender DaemonSet YAML with twistcli from a node inside the cluster, use Console's service name (twistlock-console) or cluster IP in the _--cluster-address_ flag. +This flag specifies the endpoint for the Prisma Cloud Compute API and must include the port number. Defining CRI-O as the default container engine by using the _cri_ flag. + + $ /twistcli defender export openshift \ + --address https://172.30.41.62:8083 \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --cri ++ +*Openshift 3.9: Inside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* Use the _--image-name_ flag to designate an image in the OpenShift internal registry. $ /twistcli defender export openshift \ @@ -404,12 +525,159 @@ Use the _--image-name_ flag to designate an image in the OpenShift internal regi --cluster-address 172.30.41.62 \ --selinux-enabled \ --image-name 172.30.163.181:5000/twistlock/private:defender_ ++ +*Openshift 4: Inside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +Use the _--image-name_ flag to designate an image in the OpenShift internal registry. Defining CRI-O as the default container engine by using the _-cri_ flag. + + $ /twistcli defender export openshift \ + --address https://172.30.41.62:8083 \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --image-name 172.30.163.181:5000/twistlock/private:defender_ \ + --cri . Deploy the Defender DaemonSet. $ oc create -f ./defender.yaml -. Confirm the Defenders were deployed. +===== Deployment via helm charts + +. Generate the Defender DaemonSet helm chart. +A number of command variations are provided. +Use them as a basis for constructing your own working command. ++ +*Openshift 3.9: Outside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +Use the OpenShift external route for your Prisma Cloud Console, _--address \https://twistlock-console.apps.ose.example.com_. +Designate Prisma Cloud's cloud registry by omitting the _--image-name_ flag. + + $ /twistcli defender export openshift \ + --address https://twistlock-console.apps.ose.example.com \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --helm ++ +*Openshift 4: Outside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +Use the OpenShift external route for your Prisma Cloud Console, _--address \https://twistlock-console.apps.ose.example.com_. +Designate Prisma Cloud's cloud registry by omitting the _--image-name_ flag. Defining CRI-O as the default container engine by using the _-cri_ flag. + + $ /twistcli defender export openshift \ + --address https://twistlock-console.apps.ose.example.com \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --helm \ + --cri ++ +*Openshift 3.9: Outside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +Use the _--image-name_ flag to designate an image from the OpenShift internal registry. + + $ /twistcli defender export openshift \ + --address https://twistlock-console.apps.ose.example.com \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --image-name 172.30.163.181:5000/twistlock/private:defender_ \ + --helm ++ +*Openshift 4: Outside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +Use the _--image-name_ flag to designate an image from the OpenShift internal registry. Defining CRI-O as the default container engine by using the _-cri_ flag. + + $ /twistcli defender export openshift \ + --address https://twistlock-console.apps.ose.example.com \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --image-name 172.30.163.181:5000/twistlock/private:defender_ \ + --helm \ + --cri ++ +*Openshift 3.9: Inside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +When generating the Defender DaemonSet YAML with twistcli from a node inside the cluster, use Console's service name (twistlock-console) or cluster IP in the _--cluster-address_ flag. +This flag specifies the endpoint for the Prisma Cloud Compute API and must include the port number. + + $ /twistcli defender export openshift \ + --address https://172.30.41.62:8083 \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --helm ++ +*Openshift 4: Inside the OpenShift cluster + pull the Defender image from the Prisma Cloud cloud registry.* +When generating the Defender DaemonSet YAML with twistcli from a node inside the cluster, use Console's service name (twistlock-console) or cluster IP in the _--cluster-address_ flag. +This flag specifies the endpoint for the Prisma Cloud Compute API and must include the port number. Defining CRI-O as the default container engine by using the _-cri_ flag. + + $ /twistcli defender export openshift \ + --address https://172.30.41.62:8083 \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --helm \ + --cri ++ +*Openshift 3.9: Inside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +Use the _--image-name_ flag to designate an image in the OpenShift internal registry. + + $ /twistcli defender export openshift \ + --address https://172.30.41.62:8083 \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --image-name 172.30.163.181:5000/twistlock/private:defender_ \ + --helm ++ +*Openshift 4: Inside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.* +Use the _--image-name_ flag to designate an image in the OpenShift internal registry. Defining CRI-O as the default container engine by using the _-cri_ flag. + + $ /twistcli defender export openshift \ + --address https://172.30.41.62:8083 \ + --cluster-address 172.30.41.62 \ + --selinux-enabled \ + --image-name 172.30.163.181:5000/twistlock/private:defender_ \ + --helm \ + --cri + +====== Openshift 3.9 + +Deploy the helm chart via the helm command + + $ helm install --namespace=twistlock twistlock-defender-helm.tar.gz + +====== Openshift 4 +// https://github.com/twistlock/twistlock/issues/13333 + +Prisma Cloud Defenders Helm charts fail to install on OpenShift 4 clusters due to a Helm bug. +If you generate a Helm chart, and try to install it in an OpenShift 4 cluster, you'll get the following error: + + Error: unable to recognize "": no matches for kind "SecurityContextConstraints" in version "v1" + +To work around the issue, modify the generated Helm chart. + +[.procedure] + +. Unpack the chart into a temporary directory. + + $ mkdir helm-defender + $ tar xvzf twistlock-defender-helm.tar.gz -C helm-defender/ + +. Open _helm-console/twistlock-defender/templates/securitycontextconstraints.yaml_ for editing. + +. Change `apiVersion` from `v1` to `security.openshift.io/v1`. ++ +[source,yaml] +---- +{{- if .Values.openshift }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: +name: twistlock-console +... +---- + +. Repack the Helm chart + + $ cd helm-defender/ + $ tar cvzf twistlock-defender-helm.tar.gz twistlock-defender/ + +. Install the new helm chart via the helm command + + $ helm install --namespace=twistlock -g twistlock-defender-helm.tar.gz + + +==== Confirm the Defenders were deployed. .. In Prisma Cloud Console, go to *Manage > Defenders > Manage* to see a list of deployed Defenders. + @@ -533,124 +801,6 @@ NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SE twistlock-defender-ds 4 4 4 4 4 Deploy_Prisma Cloud=true ---- - -=== Install Prisma Cloud with Helm charts - -ifdef::compute_edition[] -You can use _twistcli_ to create Helm charts for Prisma Cloud Console and Defender. -Helm is a package manager for Kubernetes, and _chart_ is the moniker for a Helm package. - -Follow the <<_install_twistlock,main install flow>>, except: - -* Pass the _--helm_ option to _twistcli_ to generate a Helm chart. -Other options passed to _twistcli_ configure the chart. - -* Deploy Console and Defender with _helm install_ rather than _oc create_. - -To create and install a Console Helm chart that dynamically provisions its persistent volume and pulls the container image from the OpenShift internal registry: - -[source] ----- -$ /twistcli console export openshift \ - --storage-class "" \ - --image-name "172.30.163.181:5000/twistlock/private:console_" \ - --service-type "ClusterIP" - --helm - -$ helm install --namespace=twistlock twistlock-console-helm.tar.gz ----- - -To create and install a Defender DaemonSet Helm chart that pulls the Defender image from the OpenShift internal registry: - -[source] ----- -$ /twistcli defender export openshift \ - --address https://twistlock-console.apps.ose.example.com \ - --cluster-address 172.30.41.62 \ - --selinux-enabled \ - --image-name 172.30.163.181:5000/twistlock/private:defender_ - --helm - -$ helm install --namespace=twistlock twistlock-defender-helm.tar.gz ----- - -endif::compute_edition[] - -ifdef::prisma_cloud[] -You can use _twistcli_ to create Helm charts for Prisma Cloud Defender. -Helm is a package manager for Kubernetes, and _chart_ is the moniker for a Helm package. - -Follow the <<_install_twistlock,main install flow>>, except: - -* Pass the _--helm_ option to _twistcli_ to generate a Helm chart. -Other options passed to _twistcli_ configure the chart. - -* Deploy Defender with _helm install_ rather than _oc create_. - -To create and install a Defender DaemonSet Helm chart that pulls the Defender image from the OpenShift internal registry: - -[source] ----- -$ /twistcli defender export openshift \ - --address https://twistlock-console.apps.ose.example.com \ - --cluster-address 172.30.41.62 \ - --selinux-enabled \ - --image-name 172.30.163.181:5000/twistlock/private:defender_ - --helm - -$ helm install --namespace=twistlock twistlock-defender-helm.tar.gz ----- - -endif::prisma_cloud[] - - -ifdef::compute_edition[] -[.task] -=== OpenShift 4 - -// https://github.com/twistlock/twistlock/issues/13333 - -Prisma Cloud Console Helm charts fail to install on OpenShift 4 clusters due to a Helm bug. -If you generate a Helm chart, and try to install it in an OpenShift 4 cluster, you'll get the following error: - - Error: unable to recognize "": no matches for kind "SecurityContextConstraints" in version "v1" - -To work around the issue, modify the generated Helm chart. - -[.procedure] -. Generate a Console Helm chart. - - $ /twistcli console export kubernetes \ - --service-type LoadBalancer \ - --helm - -. Unpack the chart into a temporary directory. - - $ mkdir helm - $ tar xvzf twistlock-console-helm.tar.gz -C helm/ - -. Open _helm/twistlock-console/templates/securitycontextconstraints.yaml_ for editing. - -. Change `apiVersion` from `v1` to `security.openshift.io/v1`. -+ -[source,yaml] ----- -{{- if .Values.openshift }} -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: twistlock-console -... ----- - -. Repack the Helm chart, and install it in your OpenShift 4 cluster. - - $ cd helm/ - $ tar cvzf twistlock-console-helm.tar.gz twistlock-console/ - -endif::compute_edition[] - - [.task] === Uninstall @@ -678,7 +828,6 @@ To uninstall Prisma Cloud, delete the _twistlock_ project. endif::prisma_cloud[] - ifdef::compute_edition[] [.task] === Appendix: NFS PersistentVolume example