topic Re: Failed to pull image "registry-auth.twistlock.com/tw_<token>/twistlock/defender:defender_22_06_224" in Prisma Cloud Discussions

Failed to pull image "registry-auth.twistlock.com/tw_/twistlock/defender:defender_22_06_224"

benderj4 — Wed, 09 Nov 2022 00:31:58 GMT

I'm getting the following error when deploying the twistlock defender into a 1.21 EKS cluster:

Failed to pull image "registry-auth.twistlock.com/tw_<token>/twistlock/defender:defender_22_06_224": rpc error: code = Unknown desc = Error response from daemon: Get "https://registry-auth.twistlock.com/v2/": x509: certificate signed by unknown authority

Creating a custom AMI for EKS worker nodes is not an option, so I tried to work around the problem by downloading the container image from the console, loading it into docker locally, and publishing it to ECR. I'm able to deploy the defender at that point, but the container doesn't connect to the console using this method. The error in this case is as follows:

No console connectivity wss://us-east1.cloud.twistlock.com:443

Has anyone else encountered this? Any resolution? TIA

Re: Failed to pull image "registry-auth.twistlock.com/tw_/twistlock/defender:defender_22_06_224"

USheikh — Wed, 09 Nov 2022 00:50:37 GMT

Hello Benderj4,

The x509 certificate error could be due to certificate path not being discovered by Prisma Cloud Compute.

The following Knowledge Article will help mitigate the error:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNgjCAE

Regards,

Re: Failed to pull image "registry-auth.twistlock.com/tw_/twistlock/defender:defender_22_06_224"

benderj4 — Wed, 09 Nov 2022 01:02:34 GMT

The use case defined in your referenced article isn't consistent with mine. I'm not scanning any images. I'm trying to install the twistlock defender in the twistlock namespace.

I'm aware that I can add certificates to the truststore to get past this, but the EKS worker node images are locked down and I can't create a custom AMI to add certs. Are these images hosted anywhere that isn't using a self-signed cert? If not, let's focus on resolving the second error and I'll use my own twistlock container image.

Re: Failed to pull image "registry-auth.twistlock.com/tw_/twistlock/defender:defender_22_06_224"

USheikh — Wed, 09 Nov 2022 01:13:30 GMT

Regarding the second error, "No console connectivity wss://us-east1.cloud.twistlock.com:443", are you using self-hosted console or saas?

If self hosted, can you add the SAN under Names? Please refer to the screenshot.

Note: the SAN needs to match the option 3 of the deployment template for orchestrator defender.

Re: Failed to pull image "registry-auth.twistlock.com/tw_/twistlock/defender:defender_22_06_224"

benderj4 — Wed, 09 Nov 2022 01:17:44 GMT

We're using the SaaS product.

Re: Failed to pull image "registry-auth.twistlock.com/tw_/twistlock/defender:defender_22_06_224"

USheikh — Wed, 09 Nov 2022 01:28:27 GMT

Hello Benderj4,

Can you run the following ping command from the place where you are deploying the defender to the console?

curl -sk -D - https://<CONSOLE_IP_ADDRESS>/api/v1/_ping

Also, please share output of the openssl command.

Regards,

Re: Failed to pull image "registry-auth.twistlock.com/tw_/twistlock/defender:defender_22_06_224"

CloudEngineer — Thu, 10 Nov 2022 22:41:27 GMT

Hi BenderJ4,

Prisma Cloud Compute does not support having any defender pre-installed on a host, commonly also referred to as a "golden image." The closest you could get would be automating deployment with other tools and scripts. On a similar note, we do not support hosting the single container defender in a private registry (although I've seen existing feature requests for this).

However, if the case is that you'd like to automate deployment of a daemonset and host the defender in a private registry, Prisma Cloud Compute does support that 😄

Regards,

Re: Failed to pull image "registry-auth.twistlock.com/tw_/twistlock/defender:defender_22_06_224"

PradeepGupta4 — Wed, 24 Jan 2024 05:14:24 GMT

Hi @Prisma Cloud Team,

We are getting a similar error when deploying the twist-lock defender into a 1.23 EKS cluster

ERRO 2024-01-22T18:15:48.310 defender.go:1623 No console connectivitywss://us-east1.cloud.twistlock.com:443

We have created a custom image using the defender image from the Prisma Cloud SaaS Console and added the required certificates and server parameters, we're able to deploy the defender in our test env in a minikube cluster (K8 version: 1.27) without any issues. We even have network connectivity from the cluster/nodes to us-east1.cloud.twistlock.com:443 but when deploying it in the EKS cluster 1.23 we are getting the following error.

ERRO 2024-01-22T18:15:48.310 defender.go:1623 No console connectivity wss://us-east1.cloud.twistlock.com:443