I'm looking for guidance on what the App embedded defender's pre-requisites are when it is going to protect a docker image that is based on the scratch image. From what I've briefly seen there'd at least need to be a shell (/bin/sh) available in the container image defender is attempting to override the entrypoint on. I did briefly add busybox to a scratch based image to satisfy having a shell available, but without luck, the defender entrypoint script fails with a result of 1. Has anyone protected a from scratch docker image using the Fargate app embedded defender sidecar before? If so, what are all of the pre-req binaries and expectations defender needs in the image it's going to protect?
I would recommend reviewing the requirements document to ensure that the docker engine version is supported and the required kernel capabilities are available for the defender to access: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/system_requ... If there are still issues after reviewing this document and the document on how to deploy an app embeded defender ( https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_def... ) we would need to see any errors that are available from the docker deployment.
We already have several images being protected by prisma defender running successfully in a handful of ECS Fargate clusters, which are based on RedHat UBI 8 and UBI 8 minimal. I've definitely followed those links. The issue I've seen is that you can't protect a container image that is based off scratch or even busybox. It appears that the prisma defender agent expects that /bin/sh and other binaries are available in the image, which they may not be when running a container image deriving from scratch that you're trying to protect.
To reproduce the issue you could probably try to protect any image that derives from scratch, could be a simple hello world http application that runs in a scratch based container and you try to protect it with defender, it will fail to run with defender exiting with a result/code of 1 and not much of an error.
I hope you are doing well. The embed process modifies the container’s entrypoint to run App-Embedded Defender. The App-Embedded Defender, in turn, runs the original entrypoint program under its control.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!