So my co-worker has implemented some containerized solution and deployed it to EKS.
I used my access key to create a defender.yaml for him.
twistcli defender export kubernetes \
--address ${PRISMA_CLOUD_COMPUTE_CONSOLE_API_ADDR} \
--user ${PRISMA_ADMIN_USER} \
--password ${PRISMA_SECRET} \
--cluster-address ${PRISMA_CLOUD_COMPUTE_SVC_ADDR}
And she deployed it.
kubectl create -f defender.yaml
When I visit her AWS account EKS Console, I can see the cluster and the daemon but is it healthy?
Why doesn't that daemon set appear in Manage/Defenders/Daemon Sets?
How can I determine the health of the daemon set?
Or, find the root-cause of it not reporting status?
.Tommy,
From the portal you should be able to view the defenders under Manage - Manage Defenders. Please see the screen shot below. I also noticed that you have two other DaemonSets configured but they do not have any pods running. Please check the health of the cluster, as well as run a kubectl get daemonsets --all-namespaces. You should have pods running under desired, current and ready. If you need more info on K8s daemonsets please review the links below, but it looks like the pods are not running at all. If you need help with a sample daemonset I can send you a yaml example to test.
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
Tommy,
Checking the pods running in the DaemonSet is the first place to start. Then perform a describe on any pods that are not running.
Kubernetes version 1.23
I understand this cluster is intended to run Fargate Tasks on EKS so I believe that Daemon set is the correct defender type.
IF "it" means defender daemon set then yes there is a "defender" daemonset but we know this from an earlier message.
I am still learning; pronouns may create confusion rather than clarity.
Can you please use proper nouns instead of pronouns?
There exist pods.
For some reason, I understood that the cluster requires some workloads so that pods are created with the defender daemon.
So, I deployed the k8s-dashboard and an AWS Labs microservice, ecsdemo.
But notice that none of my workloads, aka deployments, have the "Ready" state, all 0s just like the daemon sets.
Due to cybersecurity policies, we don't configure clusters with public network interface, no public internet ingress.
Maybe that's why these workloads won't run.
Based on what you guys have shared.
I understand that since there is no deployment running then there is no pod running with a daemonset.
@USheikh I cannot correlate your reference to "Nodes use Container Runtime Interface (CRI), not Docker" to any element in the yaml file.
Can you provide yaml path of the element that you find unacceptable?
Thanks @MDavis29 .
so we added a managed node group, pods are now running.
I can see audit, garbagecollector and clusterip assignment CloudWatch log events...
But Prisma Cloud discovery reports the cluster as Defended=FALSE.
I can see that the k8s service, twistlock/defender, is allocated an IP, and some garbage collection but no trace of dameonset api calls or errors. Where do i go from here?
