I'm getting the following error when deploying the twistlock defender into a 1.21 EKS cluster:
Failed to pull image "registry-auth.twistlock.com/tw_<token>/twistlock/defender:defender_22_06_224": rpc error: code = Unknown desc = Error response from daemon: Get "https://registry-auth.twistlock.com/v2/": x509: certificate signed by unknown authority
Creating a custom AMI for EKS worker nodes is not an option, so I tried to work around the problem by downloading the container image from the console, loading it into docker locally, and publishing it to ECR. I'm able to deploy the defender at that point, but the container doesn't connect to the console using this method. The error in this case is as follows:
No console connectivity wss://us-east1.cloud.twistlock.com:443
Has anyone else encountered this? Any resolution? TIA
The x509 certificate error could be due to certificate path not being discovered by Prisma Cloud Compute.
The following Knowledge Article will help mitigate the error:
The use case defined in your referenced article isn't consistent with mine. I'm not scanning any images. I'm trying to install the twistlock defender in the twistlock namespace.
I'm aware that I can add certificates to the truststore to get past this, but the EKS worker node images are locked down and I can't create a custom AMI to add certs. Are these images hosted anywhere that isn't using a self-signed cert? If not, let's focus on resolving the second error and I'll use my own twistlock container image.
Regarding the second error, "No console connectivity wss://us-east1.cloud.twistlock.com:443", are you using self-hosted console or saas?
If self hosted, can you add the SAN under Names? Please refer to the screenshot.
Note: the SAN needs to match the option 3 of the deployment template for orchestrator defender.
Can you run the following ping command from the place where you are deploying the defender to the console?
curl -sk -D - https://<CONSOLE_IP_ADDRESS>/api/v1/_ping
Also, please share output of the openssl command.
Prisma Cloud Compute does not support having any defender pre-installed on a host, commonly also referred to as a "golden image." The closest you could get would be automating deployment with other tools and scripts. On a similar note, we do not support hosting the single container defender in a private registry (although I've seen existing feature requests for this).
However, if the case is that you'd like to automate deployment of a daemonset and host the defender in a private registry, Prisma Cloud Compute does support that 😄
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!