How to deploy defender on Talos OS Linux kubernetes cluster
5150
Created On 02/28/23 15:48 PM - Last Modified 07/11/24 19:24 PM
Objective
- Creating test Talos Kubernetes cluster
- Deploying defenders in Talos OS kubernetes cluster
- Prisma Cloud Compute v22.12.427 Update1 or above
Environment
- Ubuntu VM with onebox console deployed
- Docker runtime installed
- Installed talosctl command
- Installed kubectl command
Procedure
- Install talosctl
-
curl -sL https://talos.dev/install | sh #use sudo for any permissions issues
-
- Create test cluster
-
sudo talosctl cluster create --name test-cluster
-
- Get cluster nodes and status
-
sudo talosctl cluster show --name test-cluster #Example output PROVISIONER docker NAME test-cluster NETWORK NAME test-cluster NETWORK CIDR 10.5.0.0/24 NETWORK GATEWAY NETWORK MTU 1500 NODES: NAME TYPE IP CPU RAM DISK test-cluster-controlplane-1 controlplane 10.5.0.2 - - - test-cluster-worker-1 worker 10.5.0.3 - - -
-
- Deploy a defender Manage > Defenders > Manual Deploy
- Orchestrator type = Kubernetes
- Docker Container Runtime (not CRI/containerd = Enable (depends if host is running docker)
- Advanced Settings > Talos Linux deployment = Enable
- Deploy the defender via kubectl apply -f
- Defender will appear as connected to console as Type = Daemonset CRI on Linux and the host properties will be same as worker node output for sudo taloctl cluster show --name test-cluster
- Due to the extra capabilities that the defender require if you encounter error during kubectl apply -f daemonset.yaml regarding Pod Security Policy add twistlock namespace to Pod Security Admission controller exemptions:
-
Step 1 sudo talosctl -n 10.5.0.2 edit machineconfig Step2 Add to exemptions twistlock namespace admissionControl exemptions: namespaces: - kube-system - twistlock #add this entry
-
Additional Information
Release notes for Talos OS support in 22.12. Update1