This documentation demonstrates the automated installation and upgrade processes for the Prisma Cloud Compute Console and Defenders within a Kubernetes cluster that is unable to communicate with the Internet.
-
Pull the required images.
-
the operator image
docker pull quay.io/prismacloud/pcc-operator:v0.2.0
-
the Console and Defender images for the version you are installing
docker pull registry.twistlock.com/twistlock/console:console_21_08_520 docker pull registry.twistlock.com/twistlock/defender:defender_21_08_520
-
-
Save the images as tarballs.
docker save quay.io/prismacloud/pcc-operator:v0.2.0 | gzip > pcc-operator.tar.gz docker save registry.twistlock.com/twistlock/console:console_21_08_520 | gzip > console.tar.gz docker save registry.twistlock.com/twistlock/defender:defender_21_08_520 | gzip > defender.tar.gz
-
Pull the PaloAltoNetworks/prisma-cloud-compute-operator GitHub repo.
wget https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator/archive/refs/heads/main.zip
-
Download the offline update tool bundle matching the version to be deployed (e.g. v21_08_520).
wget https://cdn.twistlock.com/isolated_upgrades/v21_08_520/v21_08_520_isolated_update.tar.gz
-
Move the image tarballs, the GitHub repo zip file and offline update tool bundle to a host that has docker installed and has access to the disconnected cluster.
-
Docker load, tag and push the images to a registry that is accessible (e.g. 10.105.219.150) from your isolated Kubernetes cluster.
docker load < pcc_operator.tar.gz docker tag 3eee0ee3aef5 10.105.219.150/pcc-operator:v0.2.0 docker push 10.105.219.150/pcc-operator:v0.2.0 docker load < console.tar.gz docker tag 58c779558b27 10.105.219.150/console:console_21_08_520 docker push 10.105.219.150/console:console_21_08_520 docker load < defender.tar.gz docker tag aaf13f247f08 10.105.219.150/defender:defender_21_08_520 docker push 10.105.219.150/defender:defender_21_08_520
-
Host the offline update tool bundle v21_08_520_isolated_update.tar.gz file in an http/https location where your isolated cluster can reach and pull this file. For example, http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz
-
Unzip the PaloAltoNetworks/prisma-cloud-compute-operator GitHub repo.
unzip main.zip
-
Create the namespace for this deployment (e.g.
twistlock).kubectl create ns twistlock
-
The Console is licensed and the intial administrator account is created during deployment. The account credentials and license can be supplied as arguments or as a Kubernetes Secret. To deploy using a Kubernetes Secret:
-
Copy the following yaml into a file called pcc-credentials.yaml.
apiVersion: v1 kind: Secret metadata: name: pcc-credentials namespace: twistlock data: accessToken: <base64 encoded access token> license: <base64 encoded license key> password: <base64 encoded password> username: <base64 encoded username>
-
Base64 encode your
accessToken,license,password, andusernamevalues and update thepcc-credentials.yamlfile. For example:$ echo -n "admin" | base64 YWRtaW4=
-
Create the secret within the cluster.
kubectl apply -f pcc-credentials.yaml
-
-
Modify the unzipped GitHub repo's config/manager/kustomization.yaml from:
apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - manager.yaml images: - digest: sha256:e5c9c4947755399481aa81d8ffc37543f3fcc81de8052a711cf836c83e6efa7b name: controller newName: quay.io/prismacloud/pcc-operator
to:
apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - manager.yaml images: - name: controller newName: 10.105.219.150/pcc-operator newTag: v0.2.0
-
Change directory to the GitHub repo's config/deploy and deploy the pcc-operator.
kubectl apply -k . -
Install Console and Defenders.
-
Copy the following yaml into a file called consoledefender.yaml.
--- apiVersion: pcc.paloaltonetworks.com/v1alpha1 kind: ConsoleDefender metadata: name: pcc-consoledefender namespace: twistlock spec: namespace: twistlock orchestrator: kubernetes version: '21_08_520' toolBundleUrl: http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz consoleConfig: serviceType: ClusterIP imageName: 10.105.219.150/console:console_21_08_520 defenderConfig: docker: true imageName: 10.105.219.150/defender:defender_21_08_520
NOTES:
- For docker-based clusters set
docker: true. - The default
serviceTypeisNodePort.
- For docker-based clusters set
-
Set
versionto the Prisma Cloud Compute release version to be deployed (e.g. 21_08_520). -
Set
toolBundleUrlto the offline update tool bundle v21_08_520_isolated_update.tar.gz URL. For example, http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz -
If you are not using Kubernetes Secrets set the following in the Credentials section:
- Access Token: 32-character access token included in the license bundle
- License: Product license included in the license bundle
- Password: Password to be used for the initial local administrator user. It is highly recommended that you change the password for this user in the Prisma Cloud Compute Console after install.
- Username: Username to be used for the initial local administrator user.
-
Deploy the Console and Defender.
kubectl apply -f ./consoledefender.yaml
-
Confirm that the Console and Defender pods have been deployed.
kubectl get pods -n twistlock
-
-
Establish communications to the twistlock-console service’s management-port-https port (default 8083/TCP) using a Kubernetes LoadBalancer or your organization’s approved cluster ingress technology.
-
Login with the username and password specified in the
Credentialssection. If you did not use Kubernetes Secrets reset this account's password in Manage > Authentication > Users.
The upgrade process will retain the existing deployment's configuration and settings. Please consult the release notes first to determine if any additional procedures are required.
- Upgrade the Console.
-
Copy the following yaml into a file called console.yaml.
--- apiVersion: pcc.paloaltonetworks.com/v1alpha1 kind: ConsoleDefender metadata: name: pcc-consoledefender namespace: twistlock spec: namespace: twistlock orchestrator: kubernetes version: '21_08_520' toolBundleUrl: http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz consoleConfig: serviceType: ClusterIP imageName: 10.105.219.150/console:console_21_08_520
NOTES:
- The default
serviceTypeisNodePort.
- The default
-
Set version to the Prisma Cloud Compute release version to be deployed (e.g. 21_08_520) section.
-
Set
toolBundleUrlto the offline update tool bundle v21_08_520_isolated_update.tar.gz URL. For example, http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz. -
Refer to the field necessity table for additional field details.
-
Deploy the Console.
kubectl apply -f ./console.yaml
-
- Upgrade the Defenders.
-
Copy the following yaml into a file called defender.yaml.
--- apiVersion: pcc.paloaltonetworks.com/v1alpha1 kind: Defender metadata: name: pcc-defender namespace: twistlock spec: namespace: twistlock orchestrator: kubernetes version: '21_08_520' defenderConfig: clusterAddress: twistlock-console consoleAddress: https://twistlock-console:8083 imageName: 10.105.219.150/defender:defender_21_08_520 docker: true
NOTES:
- Ensure the version of your Console is the same version for Defender deployment.
- For docker-based clusters set
docker: true.
-
Set version to the version to be deployed (e.g. 21_08_520).
-
If you are not using Kubernetes Secrets set the following in the Credentials section:
- Password: password to an account that has defender-manager or higher role
- Username: username to an account that has defender-manager or higher role
-
Deploy the Defenders.
kubectl apply -f ./defender.yaml
-