How to triage an EKS Cluster with Prisma Defender daemon set NOT appearing in the console?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to triage an EKS Cluster with Prisma Defender daemon set NOT appearing in the console?

L3 Networker

So my co-worker has implemented some containerized solution and deployed it to EKS.

I used my access key to create a defender.yaml for him.

twistcli defender export kubernetes \
--password ${PRISMA_SECRET} \
--cluster-address ${PRISMA_CLOUD_COMPUTE_SVC_ADDR}

And she deployed it.

kubectl create -f defender.yaml

When I visit her AWS account EKS Console, I can see the cluster and the daemon but is it healthy?


Why doesn't that daemon set appear in Manage/Defenders/Daemon Sets?



How can I determine the health of the daemon set?

Or, find the root-cause of it not reporting status?


Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant

@Umer agreed but that is half of the solution.

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant

L3 Networker

So, here is how I solved it...


first, let's talk concepts...


EKS’ Clusters may be configured with Fargate Profile(s) and/or EC2 Managed Node Groups. These two kinds of EKS compute are separated and isolated. EC2 Nodes managed by customer; Fargate nodes managed by AWS.  Because of this separation, a cluster daemonset cannot not protect Fargate tasks.


IMO, those concepts are poorly communicated here...


Prisma Defenders may be deployed to either or both types of EKS compute in the same cluster.

  1. EKS on Fargate – a defender for this type of compute are embedded into the image at “build” time. Each image has its own defender.  To configure, see You can confirm the defenders are protecting the task by navigating to either PCC/Manage/Defenders/Manage/Defenders and/or PCC/Monitor/Runtime/App-Embedded observations.

  2. EKS on EC2 – defenders are deployed as Kubernetes daemon sets.  Given the daemonset AND a managed node group of EC2s are deployed then you can confirm one twistlock/defender pod per node. To confirm that the EKS Cluster is protected, navigate to PCC/Manage/Cloud Accounts; filter on your account number then choose the Action, Account Details, to see the Cloud Discovery results rendering which clusters are Defended or not.  To configure, improve this document here

    also this document too needs to be corrected...


    Bottom-line: The resolution to my original issue was that the daemonset.yaml produced by the command that I gave was missing two options, CRI and privileged.  The daemon must use Container Runtime Interface and it MUST run privileged for it to protect the other pods' containers.

    The command that produces a defect-free daemonset, defender.yaml is...

    export PRISMA_CONSOLE=

    twistcli defender export kubernetes \
    --user ${PRISMA_KEY_ID} \
    --password ${PRISMA_SECRET} \
    --cluster-address ${PRISMA_CLOUD_COMPUTE_SVC_ADDR} \
    --namespace twistlock \
    --privileged \



Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
  • 16 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!