Failed to pull image "<token>/twistlock/defender:defender_22_06_224"

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Failed to pull image "<token>/twistlock/defender:defender_22_06_224"

L1 Bithead

I'm getting the following error when deploying the twistlock defender into a 1.21 EKS cluster:


Failed to pull image "<token>/twistlock/defender:defender_22_06_224": rpc error: code = Unknown desc = Error response from daemon: Get "": x509: certificate signed by unknown authority


Creating a custom AMI for EKS worker nodes is not an option, so I tried to work around the problem by downloading the container image from the console, loading it into docker locally, and publishing it to ECR. I'm able to deploy the defender at that point, but the container doesn't connect to the console using this method. The error in this case is as follows:


No console connectivity wss://


Has anyone else encountered this? Any resolution? TIA


L3 Networker

Hello Benderj4,


The x509 certificate error could be due to certificate path not being discovered by Prisma Cloud Compute.


The following Knowledge Article will help mitigate the error:



Umer Sheikh | Technical Support Engineer - Prisma Cloud Compute | PCCSE, AWS - Associate Architect

The use case defined in your referenced article isn't consistent with mine. I'm not scanning any images. I'm trying to install the twistlock defender in the twistlock namespace.


I'm aware that I can add certificates to the truststore to get past this, but the EKS worker node images are locked down and I can't create a custom AMI to add certs. Are these images hosted anywhere that isn't using a self-signed cert? If not, let's focus on resolving the second error and I'll use my own twistlock container image.

Regarding the second error, "No console connectivity wss://", are you using self-hosted console or saas?

If self hosted, can you add the SAN under Names? Please refer to the screenshot. 


Note: the SAN needs to match the option 3 of the deployment template for orchestrator defender. 

Umer Sheikh | Technical Support Engineer - Prisma Cloud Compute | PCCSE, AWS - Associate Architect

We're using the SaaS product.

Hello Benderj4,


Can you run the following ping command from the place where you are deploying the defender to the console?


curl -sk -D - https://<CONSOLE_IP_ADDRESS>/api/v1/_ping


Also, please share output of the openssl command.





Umer Sheikh | Technical Support Engineer - Prisma Cloud Compute | PCCSE, AWS - Associate Architect

L2 Linker

Hi BenderJ4,

Prisma Cloud Compute does not support having any defender pre-installed on a host, commonly also referred to as a "golden image." The closest you could get would be automating deployment with other tools and scripts. On a similar note, we do not support hosting the single container defender in a private registry (although I've seen existing feature requests for this).


However, if the case is that you'd like to automate deployment of a daemonset and host the defender in a private registry, Prisma Cloud Compute does support that 😄



Brandon Goldstein, Customer Success Engineer, Prisma Cloud | PCCSE, GCP ACE
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!