Failed to pull image "registry-auth.twistlock.com/tw_<token>/twistlock/defender:defender_22_06_224"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Failed to pull image "registry-auth.twistlock.com/tw_<token>/twistlock/defender:defender_22_06_224"

L1 Bithead

I'm getting the following error when deploying the twistlock defender into a 1.21 EKS cluster:

 

Failed to pull image "registry-auth.twistlock.com/tw_<token>/twistlock/defender:defender_22_06_224": rpc error: code = Unknown desc = Error response from daemon: Get "https://registry-auth.twistlock.com/v2/": x509: certificate signed by unknown authority

 

Creating a custom AMI for EKS worker nodes is not an option, so I tried to work around the problem by downloading the container image from the console, loading it into docker locally, and publishing it to ECR. I'm able to deploy the defender at that point, but the container doesn't connect to the console using this method. The error in this case is as follows:

 

No console connectivity wss://us-east1.cloud.twistlock.com:443

 

Has anyone else encountered this? Any resolution? TIA

7 REPLIES 7

L3 Networker

Hello Benderj4,

 

The x509 certificate error could be due to certificate path not being discovered by Prisma Cloud Compute.

 

The following Knowledge Article will help mitigate the error:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNgjCAE

 

Regards,

Umer Sheikh | Technical Support Engineer - Prisma Cloud Compute | PCCSE, AWS - Associate Architect

The use case defined in your referenced article isn't consistent with mine. I'm not scanning any images. I'm trying to install the twistlock defender in the twistlock namespace.

 

I'm aware that I can add certificates to the truststore to get past this, but the EKS worker node images are locked down and I can't create a custom AMI to add certs. Are these images hosted anywhere that isn't using a self-signed cert? If not, let's focus on resolving the second error and I'll use my own twistlock container image.

Regarding the second error, "No console connectivity wss://us-east1.cloud.twistlock.com:443", are you using self-hosted console or saas?

If self hosted, can you add the SAN under Names? Please refer to the screenshot. 

 

Note: the SAN needs to match the option 3 of the deployment template for orchestrator defender. 

Umer Sheikh | Technical Support Engineer - Prisma Cloud Compute | PCCSE, AWS - Associate Architect

We're using the SaaS product.

Hello Benderj4,

 

Can you run the following ping command from the place where you are deploying the defender to the console?

 

curl -sk -D - https://<CONSOLE_IP_ADDRESS>/api/v1/_ping

 

Also, please share output of the openssl command.

 

Regards,

 

 

Umer Sheikh | Technical Support Engineer - Prisma Cloud Compute | PCCSE, AWS - Associate Architect

L3 Networker

Hi BenderJ4,

Prisma Cloud Compute does not support having any defender pre-installed on a host, commonly also referred to as a "golden image." The closest you could get would be automating deployment with other tools and scripts. On a similar note, we do not support hosting the single container defender in a private registry (although I've seen existing feature requests for this).

 

However, if the case is that you'd like to automate deployment of a daemonset and host the defender in a private registry, Prisma Cloud Compute does support that 😄

 

Regards,

Brandon Goldstein, Sr. Customer Success Engineer, Prisma Cloud | PCCSE, GCP PCSE

L0 Member


Hi @Prisma Cloud Team,

We are getting a similar error when deploying the twist-lock defender into a 1.23 EKS cluster 

ERRO 2024-01-22T18:15:48.310 defender.go:1623 No console connectivitywss://us-east1.cloud.twistlock.com:443

We have created a custom image using the defender image from the Prisma Cloud SaaS Console and added the required certificates and server parameters, we're able to deploy the defender in our test env in a minikube cluster (K8 version: 1.27) without any issues. We even have network connectivity from the cluster/nodes to us-east1.cloud.twistlock.com:443  but when deploying it in the EKS cluster 1.23 we are getting the following error. 

 

ERRO 2024-01-22T18:15:48.310 defender.go:1623 No console connectivity wss://us-east1.cloud.twistlock.com:443

  • 4822 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!