03-29-2022 08:05 AM - last edited on 04-20-2022 08:36 AM by RPrasadi
Hello,
I'm looking for guidance on what the App embedded defender's pre-requisites are when it is going to protect a docker image that is based on the scratch image. From what I've briefly seen there'd at least need to be a shell (/bin/sh) available in the container image defender is attempting to override the entrypoint on. I did briefly add busybox to a scratch based image to satisfy having a shell available, but without luck, the defender entrypoint script fails with a result of 1. Has anyone protected a from scratch docker image using the Fargate app embedded defender sidecar before? If so, what are all of the pre-req binaries and expectations defender needs in the image it's going to protect?
Thanks,
Eric
07-22-2022 02:15 PM - edited 07-22-2022 02:20 PM
I would recommend reviewing the requirements document to ensure that the docker engine version is supported and the required kernel capabilities are available for the defender to access: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/system_requ... If there are still issues after reviewing this document and the document on how to deploy an app embeded defender ( https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_def... ) we would need to see any errors that are available from the docker deployment.
09-15-2022 07:00 AM
We already have several images being protected by prisma defender running successfully in a handful of ECS Fargate clusters, which are based on RedHat UBI 8 and UBI 8 minimal. I've definitely followed those links. The issue I've seen is that you can't protect a container image that is based off scratch or even busybox. It appears that the prisma defender agent expects that /bin/sh and other binaries are available in the image, which they may not be when running a container image deriving from scratch that you're trying to protect.
To reproduce the issue you could probably try to protect any image that derives from scratch, could be a simple hello world http application that runs in a scratch based container and you try to protect it with defender, it will fail to run with defender exiting with a result/code of 1 and not much of an error.
09-15-2022 02:39 PM
Hi Ebrumfield,
I hope you are doing well. The embed process modifies the container’s entrypoint to run App-Embedded Defender. The App-Embedded Defender, in turn, runs the original entrypoint program under its control.
09-23-2022 11:11 AM
Do I recall correctly that the Fargate AppDefender is configured as a side-car?
Thus, it comes with all the dependencies that it needs.
09-23-2022 11:14 AM
Hi TommyHunt,
Yes, the Fargate AppDefender is configured as a side-car.
Regards,
01-17-2024 07:20 PM
Can someone post an example (json task definition) of how to get defender sidecar with nginx? I just need to get POC working for my sandbox env.
Prisma documentation doesn't really give much insight on it
01-18-2024 02:12 PM - edited 01-18-2024 02:12 PM
Hi Wilson_SWEE,
While we don't have any examples of defended Fargate tasks using NGINX , I looked for quite some time and was unable to find any reasonably simple Fargate examples with NGINX in general. There are only a few out there and each of them is somewhat lengthy.
You could try following this article from an AWS developer advocate and then try either the CloudFormation template version of the task definition with our task generation process.
NGINX reverse proxy sidecar for a web container hosted with Amazon ECS and AWS Fargate
Alternately, you could take the final JSON task definition and use that with our task generator. However, this method requires removing some unsupported parameters which are inserted after configuration since the JSON task definition that appears in the console is not actually an original task definition.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
