11-08-2022 04:31 PM
I'm getting the following error when deploying the twistlock defender into a 1.21 EKS cluster:
Failed to pull image "registry-auth.twistlock.com/tw_<token>/twistlock/defender:defender_22_06_224": rpc error: code = Unknown desc = Error response from daemon: Get "https://registry-auth.twistlock.com/v2/": x509: certificate signed by unknown authority
Creating a custom AMI for EKS worker nodes is not an option, so I tried to work around the problem by downloading the container image from the console, loading it into docker locally, and publishing it to ECR. I'm able to deploy the defender at that point, but the container doesn't connect to the console using this method. The error in this case is as follows:
No console connectivity wss://us-east1.cloud.twistlock.com:443
Has anyone else encountered this? Any resolution? TIA
11-08-2022 04:50 PM
Hello Benderj4,
The x509 certificate error could be due to certificate path not being discovered by Prisma Cloud Compute.
The following Knowledge Article will help mitigate the error:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNgjCAE
Regards,
11-08-2022 05:02 PM
The use case defined in your referenced article isn't consistent with mine. I'm not scanning any images. I'm trying to install the twistlock defender in the twistlock namespace.
I'm aware that I can add certificates to the truststore to get past this, but the EKS worker node images are locked down and I can't create a custom AMI to add certs. Are these images hosted anywhere that isn't using a self-signed cert? If not, let's focus on resolving the second error and I'll use my own twistlock container image.
11-08-2022 05:13 PM
Regarding the second error, "No console connectivity wss://us-east1.cloud.twistlock.com:443", are you using self-hosted console or saas?
If self hosted, can you add the SAN under Names? Please refer to the screenshot.
Note: the SAN needs to match the option 3 of the deployment template for orchestrator defender.
11-08-2022 05:17 PM
We're using the SaaS product.
11-08-2022 05:28 PM
Hello Benderj4,
Can you run the following ping command from the place where you are deploying the defender to the console?
curl -sk -D - https://<CONSOLE_IP_ADDRESS>/api/v1/_ping
Also, please share output of the openssl command.
Regards,
11-10-2022 02:41 PM
Hi BenderJ4,
Prisma Cloud Compute does not support having any defender pre-installed on a host, commonly also referred to as a "golden image." The closest you could get would be automating deployment with other tools and scripts. On a similar note, we do not support hosting the single container defender in a private registry (although I've seen existing feature requests for this).
However, if the case is that you'd like to automate deployment of a daemonset and host the defender in a private registry, Prisma Cloud Compute does support that 😄
Regards,
01-23-2024 09:14 PM
Hi @Prisma Cloud Team,
We are getting a similar error when deploying the twist-lock defender into a 1.23 EKS cluster
ERRO 2024-01-22T18:15:48.310 defender.go:1623 No console connectivity
wss://us-east1.cloud.twistlock.com:443
We have created a custom image using the defender image from the Prisma Cloud SaaS Console and added the required certificates and server parameters, we're able to deploy the defender in our test env in a minikube cluster (K8 version: 1.27) without any issues. We even have network connectivity from the cluster/nodes to us-east1.cloud.twistlock.com:443
but when deploying it in the EKS cluster 1.23 we are getting the following error.
ERRO 2024-01-22T18:15:48.310 defender.go:1623 No console connectivity
wss://us-east1.cloud.twistlock.com:443
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!